xref: /freebsd/contrib/ntp/NEWS (revision 076b94438c7d42c1b4661ed1e12e3b12ca69361a)
1--
2NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
3
4NOTE: this NEWS file will be undergoing more revisions.
5
6Focus: Security, Bug fixes, enhancements.
7
8Severity: MEDIUM
9
10This release fixes a "hole" in the noepeer capability introduced to ntpd
11in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
12ntpq and ntpdc.  It also provides 26 other bugfixes, and 4 other improvements:
13
14* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
15
16* [Sec 3012] Fix a hole in the new "noepeer" processing.
17
18* Bug Fixes:
19 [Bug 3521] Fix a logic bug in the INVALIDNAK checks.  <stenn@ntp.org>
20 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
21            other TrustedBSD platforms
22 - applied patch by Ian Lepore <perlinger@ntp.org>
23 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
24 - changed interaction with SCM to signal pending startup
25 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
26 - applied patch by Gerry Garvey
27 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
28 - applied patch by Gerry Garvey
29 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
30 - rework of ntpq 'nextvar()' key/value parsing
31 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
32 - applied patch by Gerry Garvey (with mods)
33 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
34 - applied patch by Gerry Garvey
35 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
36 - applied patch by Gerry Garvey (with mods)
37 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
38 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
39 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
40 - applied patch by Gerry Garvey
41 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
42 - applied patch by Gerry Garvey
43 [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
44 - add #define ENABLE_CMAC support in configure.  HStenn.
45 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
46 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
47 - patch by Stephen Friedl
48 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
49 - fixed IO redirection and CTRL-C handling in ntq and ntpdc
50 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
51 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
52 - initial patch by Hal Murray; also fixed refclock_report() trouble
53 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph.  <stenn@ntp.org>
54 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
55 - According to Brooks Davis, there was only one location <perlinger@ntp.org>
56 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
57 - applied patch by Gerry Garvey
58 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
59 - applied patch by Gerry Garvey
60 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
61 with modifications
62 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
63 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
64 - applied patch by Miroslav Lichvar
65 [Bug 3426] ntpdate.html -t default is 2 seconds.  Leonid Evdokimov.
66 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
67 - integrated patch by  Reinhard Max
68 [Bug 2821] minor build issues <perlinger@ntp.org>
69 - applied patches by Christos Zoulas, including real bug fixes
70 html/authopt.html: cleanup, from <stenn@ntp.org>
71 ntpd/ntpd.c: DROPROOT cleanup.  <stenn@ntp.org>
72 Symmetric key range is 1-65535.  Update docs.   <stenn@ntp.org>
73
74--
75NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
76
77Focus: Security, Bug fixes, enhancements.
78
79Severity: MEDIUM
80
81This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
82vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
83provides 65 other non-security fixes and improvements:
84
85* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
86	association (LOW/MED)
87   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
88   References: Sec 3454 / CVE-2018-7185 / VU#961909
89   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
90   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
91	2.9 and 6.8.
92   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
93	score between 2.6 and 3.1
94   Summary:
95	The NTP Protocol allows for both non-authenticated and
96	authenticated associations, in client/server, symmetric (peer),
97	and several broadcast modes. In addition to the basic NTP
98	operational modes, symmetric mode and broadcast servers can
99	support an interleaved mode of operation. In ntp-4.2.8p4 a bug
100	was inadvertently introduced into the protocol engine that
101	allows a non-authenticated zero-origin (reset) packet to reset
102	an authenticated interleaved peer association. If an attacker
103	can send a packet with a zero-origin timestamp and the source
104	IP address of the "other side" of an interleaved association,
105	the 'victim' ntpd will reset its association. The attacker must
106	continue sending these packets in order to maintain the
107	disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
108	interleave mode could be entered dynamically. As of ntp-4.2.8p7,
109	interleaved mode must be explicitly configured/enabled.
110   Mitigation:
111	Implement BCP-38.
112	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
113	    or the NTP Public Services Project Download Page.
114	If you are unable to upgrade to 4.2.8p11 or later and have
115	    'peer HOST xleave' lines in your ntp.conf file, remove the
116	    'xleave' option.
117	Have enough sources of time.
118	Properly monitor your ntpd instances.
119	If ntpd stops running, auto-restart it without -g .
120   Credit:
121   	This weakness was discovered by Miroslav Lichvar of Red Hat.
122
123* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
124	state (LOW/MED)
125   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
126   References: Sec 3453 / CVE-2018-7184 / VU#961909
127   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
128   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
129	Could score between 2.9 and 6.8.
130   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
131	Could score between 2.6 and 6.0.
132   Summary:
133   	The fix for NtpBug2952 was incomplete, and while it fixed one
134	problem it created another.  Specifically, it drops bad packets
135	before updating the "received" timestamp.  This means a
136	third-party can inject a packet with a zero-origin timestamp,
137	meaning the sender wants to reset the association, and the
138	transmit timestamp in this bogus packet will be saved as the
139	most recent "received" timestamp.  The real remote peer does
140	not know this value and this will disrupt the association until
141	the association resets.
142   Mitigation:
143	Implement BCP-38.
144	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
145	    or the NTP Public Services Project Download Page.
146	Use authentication with 'peer' mode.
147	Have enough sources of time.
148	Properly monitor your ntpd instances.
149	If ntpd stops running, auto-restart it without -g .
150   Credit:
151   	This weakness was discovered by Miroslav Lichvar of Red Hat.
152
153* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
154	peering (LOW)
155   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
156   References: Sec 3415 / CVE-2018-7170 / VU#961909
157   	       Sec 3012 / CVE-2016-1549 / VU#718152
158   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
159   	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
160   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
161   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
162   Summary:
163	ntpd can be vulnerable to Sybil attacks.  If a system is set up to
164	use a trustedkey and if one is not using the feature introduced in
165	ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
166	specify which IPs can serve time, a malicious authenticated peer
167	-- i.e. one where the attacker knows the private symmetric key --
168	can create arbitrarily-many ephemeral associations in order to win
169	the clock selection of ntpd and modify a victim's clock.  Three
170	additional protections are offered in ntp-4.2.8p11.  One is the
171	new 'noepeer' directive, which disables symmetric passive
172	ephemeral peering. Another is the new 'ippeerlimit' directive,
173	which limits the number of peers that can be created from an IP.
174	The third extends the functionality of the 4th field in the
175	ntp.keys file to include specifying a subnet range.
176   Mitigation:
177	Implement BCP-38.
178	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
179	    or the NTP Public Services Project Download Page.
180	Use the 'noepeer' directive to prohibit symmetric passive
181	    ephemeral associations.
182	Use the 'ippeerlimit' directive to limit the number of peers
183	    that can be created from an IP.
184	Use the 4th argument in the ntp.keys file to limit the IPs and
185	    subnets that can be time servers.
186	Have enough sources of time.
187	Properly monitor your ntpd instances.
188	If ntpd stops running, auto-restart it without -g .
189   Credit:
190	This weakness was reported as Bug 3012 by Matthew Van Gundy of
191	Cisco ASIG, and separately by Stefan Moser as Bug 3415.
192
193* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
194   Date Resolved: 27 Feb 2018
195   References: Sec 3414 / CVE-2018-7183 / VU#961909
196   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
197   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
198   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
199   Summary:
200   	ntpq is a monitoring and control program for ntpd.  decodearr()
201	is an internal function of ntpq that is used to -- wait for it --
202	decode an array in a response string when formatted data is being
203	displayed.  This is a problem in affected versions of ntpq if a
204	maliciously-altered ntpd returns an array result that will trip this
205	bug, or if a bad actor is able to read an ntpq request on its way to
206	a remote ntpd server and forge and send a response before the remote
207	ntpd sends its response.  It's potentially possible that the
208	malicious data could become injectable/executable code.
209   Mitigation:
210	Implement BCP-38.
211	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
212	    or the NTP Public Services Project Download Page.
213   Credit:
214	This weakness was discovered by Michael Macnair of Thales e-Security.
215
216* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
217	behavior and information leak (Info/Medium)
218   Date Resolved: 27 Feb 2018
219   References: Sec 3412 / CVE-2018-7182 / VU#961909
220   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
221   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
222   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
223	0.0 if C:N
224   Summary:
225	ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
226	A malicious mode 6 packet can be sent to an ntpd instance, and
227	if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
228	cause ctl_getitem() to read past the end of its buffer.
229   Mitigation:
230	Implement BCP-38.
231	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
232	    or the NTP Public Services Project Download Page.
233	Have enough sources of time.
234	Properly monitor your ntpd instances.
235	If ntpd stops running, auto-restart it without -g .
236   Credit:
237   	This weakness was discovered by Yihan Lian of Qihoo 360.
238
239* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
240   Also see Bug 3415, above.
241   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
242   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
243   References: Sec 3012 / CVE-2016-1549 / VU#718152
244   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
245	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
246   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
247   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
248   Summary:
249	ntpd can be vulnerable to Sybil attacks.  If a system is set up
250	to use a trustedkey and if one is not using the feature
251	introduced in ntp-4.2.8p6 allowing an optional 4th field in the
252	ntp.keys file to specify which IPs can serve time, a malicious
253	authenticated peer -- i.e. one where the attacker knows the
254	private symmetric key -- can create arbitrarily-many ephemeral
255	associations in order to win the clock selection of ntpd and
256	modify a victim's clock.  Two additional protections are
257	offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
258	disables symmetric passive ephemeral peering. The other extends
259	the functionality of the 4th field in the ntp.keys file to
260	include specifying a subnet range.
261   Mitigation:
262	Implement BCP-38.
263	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
264	    the NTP Public Services Project Download Page.
265	Use the 'noepeer' directive to prohibit symmetric passive
266	    ephemeral associations.
267	Use the 'ippeerlimit' directive to limit the number of peer
268	    associations from an IP.
269	Use the 4th argument in the ntp.keys file to limit the IPs
270	    and subnets that can be time servers.
271	Properly monitor your ntpd instances.
272   Credit:
273   	This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
274
275* Bug fixes:
276 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
277 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
278 - applied patch by Sean Haugh
279 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
280 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
281 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
282 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
283 - refactoring the MAC code, too
284 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
285 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
286 - applied patch by ggarvey
287 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
288 - applied patch by ggarvey (with minor mods)
289 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
290 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
291 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
292 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
293 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
294 - fixed several issues with hash algos in ntpd, sntp, ntpq,
295   ntpdc and the test suites <perlinger@ntp.org>
296 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
297 - initial patch by Daniel Pouzzner
298 [Bug 3423] QNX adjtime() implementation error checking is
299 wrong <perlinger@ntp.org>
300 [Bug 3417] ntpq ifstats packet counters can be negative
301 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
302 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
303 - raised receive buffer size to 1200 <perlinger@ntp.org>
304 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
305 analysis tool. <abe@ntp.org>
306 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
307 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
308 - fix/drop assumptions on OpenSSL libs directory layout
309 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
310 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
311 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
312 - patch contributed by Alexander Bluhm
313 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
314 rework of formatting & data transfer stuff in 'ntp_control.c'
315 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
316 [Bug 3394] Leap second deletion does not work on ntpd clients
317 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
318 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
319 - increased mimimum stack size to 32kB <perlinger@ntp.org>
320 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
321 - reverted handling of PPS kernel consumer to 4.2.6 behavior
322 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
323 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
324 [Bug 3016] wrong error position reported for bad ":config pool"
325 - fixed location counter & ntpq output <perlinger@ntp.org>
326 [Bug 2900] libntp build order problem.  HStenn.
327 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
328 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
329 perlinger@ntp.org
330 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
331 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
332 Use strlcpy() to copy strings, not memcpy().  HStenn.
333 Typos.  HStenn.
334 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
335 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
336 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
337 Fix trivial warnings from 'make check'. perlinger@ntp.org
338 Fix bug in the override portion of the compiler hardening macro. HStenn.
339 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
340 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
341 sntp: tweak key file logging.  HStenn.
342 sntp: pkt_output(): Improve debug output.  HStenn.
343 update-leap: updates from Paul McMath.
344 When using pkg-config, report --modversion.  HStenn.
345 Clean up libevent configure checks.  HStenn.
346 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
347 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
348 authistrustedip() - use it in more places.  HStenn, JPerlinger.
349 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
350 Update ntp.keys .../N documentation.  HStenn.
351 Distribute testconf.yml.  HStenn.
352 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
353 Rename the configuration flag fifo variables.  HStenn.
354 Improve saveconfig output.  HStenn.
355 Decode restrict flags on receive() debug output.  HStenn.
356 Decode interface flags on receive() debug output.  HStenn.
357 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
358 Update the documentation in ntp.conf.def .  HStenn.
359 restrictions() must return restrict flags and ippeerlimit.  HStenn.
360 Update ntpq peer documentation to describe the 'p' type.  HStenn.
361 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
362 Provide dump_restricts() for debugging.  HStenn.
363 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
364
365* Other items:
366
367* update-leap needs the following perl modules:
368	Net::SSLeay
369	IO::Socket::SSL
370
371* New sysstats variables: sys_lamport, sys_tsrounding
372See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
373sys_lamport counts the number of observed Lamport violations, while
374sys_tsrounding counts observed timestamp rounding events.
375
376* New ntp.conf items:
377
378- restrict ... noepeer
379- restrict ... ippeerlimit N
380
381The 'noepeer' directive will disallow all ephemeral/passive peer
382requests.
383
384The 'ippeerlimit' directive limits the number of time associations
385for each IP in the designated set of addresses.  This limit does not
386apply to explicitly-configured associations.  A value of -1, the current
387default, means an unlimited number of associations may connect from a
388single IP.  0 means "none", etc.  Ordinarily the only way multiple
389associations would come from the same IP would be if the remote side
390was using a proxy.  But a trusted machine might become compromised,
391in which case an attacker might spin up multiple authenticated sessions
392from different ports.  This directive should be helpful in this case.
393
394* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
395field may contain a /subnetbits specification, which identifies  the
396scope of IPs that may use this key.  This IP/subnet restriction can be
397used to limit the IPs that may use the key in most all situations where
398a key is used.
399--
400NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
401
402Focus: Security, Bug fixes, enhancements.
403
404Severity: MEDIUM
405
406This release fixes 5 medium-, 6 low-, and 4 informational-severity
407vulnerabilities, and provides 15 other non-security fixes and improvements:
408
409* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
410   Date Resolved: 21 Mar 2017
411   References: Sec 3389 / CVE-2017-6464 / VU#325339
412   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
413	ntp-4.3.0 up to, but not including ntp-4.3.94.
414   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
415   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
416   Summary:
417	A vulnerability found in the NTP server makes it possible for an
418	authenticated remote user to crash ntpd via a malformed mode
419	configuration directive.
420   Mitigation:
421	Implement BCP-38.
422	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
423	    the NTP Public Services Project Download Page
424	Properly monitor your ntpd instances, and auto-restart
425	    ntpd (without -g) if it stops running.
426   Credit:
427	This weakness was discovered by Cure53.
428
429* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
430    Date Resolved: 21 Mar 2017
431    References: Sec 3388 / CVE-2017-6462 / VU#325339
432    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
433    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
434    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
435    Summary:
436	There is a potential for a buffer overflow in the legacy Datum
437	Programmable Time Server refclock driver.  Here the packets are
438	processed from the /dev/datum device and handled in
439	datum_pts_receive().  Since an attacker would be required to
440	somehow control a malicious /dev/datum device, this does not
441	appear to be a practical attack and renders this issue "Low" in
442	terms of severity.
443   Mitigation:
444	If you have a Datum reference clock installed and think somebody
445	    may maliciously change the device, upgrade to 4.2.8p10, or
446	    later, from the NTP Project Download Page or the NTP Public
447	    Services Project Download Page
448	Properly monitor your ntpd instances, and auto-restart
449	    ntpd (without -g) if it stops running.
450   Credit:
451	This weakness was discovered by Cure53.
452
453* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
454   Date Resolved: 21 Mar 2017
455   References: Sec 3387 / CVE-2017-6463 / VU#325339
456   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
457	ntp-4.3.0 up to, but not including ntp-4.3.94.
458   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
459   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
460   Summary:
461	A vulnerability found in the NTP server allows an authenticated
462	remote attacker to crash the daemon by sending an invalid setting
463	via the :config directive.  The unpeer option expects a number or
464	an address as an argument.  In case the value is "0", a
465	segmentation fault occurs.
466   Mitigation:
467	Implement BCP-38.
468	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
469	    or the NTP Public Services Project Download Page
470	Properly monitor your ntpd instances, and auto-restart
471	    ntpd (without -g) if it stops running.
472   Credit:
473	This weakness was discovered by Cure53.
474
475* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
476   Date Resolved: 21 Mar 2017
477   References: Sec 3386
478   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
479	ntp-4.3.0 up to, but not including ntp-4.3.94.
480   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
481   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
482   Summary:
483	The NTP Mode 6 monitoring and control client, ntpq, uses the
484	function ntpq_stripquotes() to remove quotes and escape characters
485	from a given string.  According to the documentation, the function
486	is supposed to return the number of copied bytes but due to
487	incorrect pointer usage this value is always zero.  Although the
488	return value of this function is never used in the code, this
489	flaw could lead to a vulnerability in the future.  Since relying
490	on wrong return values when performing memory operations is a
491	dangerous practice, it is recommended to return the correct value
492	in accordance with the documentation pertinent to the code.
493   Mitigation:
494	Implement BCP-38.
495	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
496	    or the NTP Public Services Project Download Page
497	Properly monitor your ntpd instances, and auto-restart
498	    ntpd (without -g) if it stops running.
499   Credit:
500	This weakness was discovered by Cure53.
501
502* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
503   Date Resolved: 21 Mar 2017
504   References: Sec 3385
505   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
506	ntp-4.3.0 up to, but not including ntp-4.3.94.
507   Summary:
508	NTP makes use of several wrappers around the standard heap memory
509	allocation functions that are provided by libc.  This is mainly
510	done to introduce additional safety checks concentrated on
511	several goals.  First, they seek to ensure that memory is not
512	accidentally freed, secondly they verify that a correct amount
513	is always allocated and, thirdly, that allocation failures are
514	correctly handled.  There is an additional implementation for
515	scenarios where memory for a specific amount of items of the
516	same size needs to be allocated.  The handling can be found in
517	the oreallocarray() function for which a further number-of-elements
518	parameter needs to be provided.  Although no considerable threat
519	was identified as tied to a lack of use of this function, it is
520	recommended to correctly apply oreallocarray() as a preferred
521	option across all of the locations where it is possible.
522   Mitigation:
523	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
524	    or the NTP Public Services Project Download Page
525   Credit:
526	This weakness was discovered by Cure53.
527
528* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
529	PPSAPI ONLY) (Low)
530   Date Resolved: 21 Mar 2017
531   References: Sec 3384 / CVE-2017-6455 / VU#325339
532   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
533	not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
534	including ntp-4.3.94.
535   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
536   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
537   Summary:
538	The Windows NT port has the added capability to preload DLLs
539	defined in the inherited global local environment variable
540	PPSAPI_DLLS.  The code contained within those libraries is then
541	called from the NTPD service, usually running with elevated
542	privileges. Depending on how securely the machine is setup and
543	configured, if ntpd is configured to use the PPSAPI under Windows
544	this can easily lead to a code injection.
545   Mitigation:
546	Implement BCP-38.
547	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
548	    or the NTP Public Services Project Download Page
549   Credit:
550   This weakness was discovered by Cure53.
551
552* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
553	installer ONLY) (Low)
554   Date Resolved: 21 Mar 2017
555   References: Sec 3383 / CVE-2017-6452 / VU#325339
556   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
557	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
558	to, but not including ntp-4.3.94.
559   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
560   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
561   Summary:
562	The Windows installer for NTP calls strcat(), blindly appending
563	the string passed to the stack buffer in the addSourceToRegistry()
564	function.  The stack buffer is 70 bytes smaller than the buffer
565	in the calling main() function.  Together with the initially
566	copied Registry path, the combination causes a stack buffer
567	overflow and effectively overwrites the stack frame.  The
568	passed application path is actually limited to 256 bytes by the
569	operating system, but this is not sufficient to assure that the
570	affected stack buffer is consistently protected against
571	overflowing at all times.
572   Mitigation:
573	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
574	or the NTP Public Services Project Download Page
575   Credit:
576	This weakness was discovered by Cure53.
577
578* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
579	installer ONLY) (Low)
580   Date Resolved: 21 Mar 2017
581   References: Sec 3382 / CVE-2017-6459 / VU#325339
582   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
583	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
584	up to, but not including ntp-4.3.94.
585   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
586   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
587   Summary:
588	The Windows installer for NTP calls strcpy() with an argument
589	that specifically contains multiple null bytes.  strcpy() only
590	copies a single terminating null character into the target
591	buffer instead of copying the required double null bytes in the
592	addKeysToRegistry() function.  As a consequence, a garbage
593	registry entry can be created.  The additional arsize parameter
594	is erroneously set to contain two null bytes and the following
595	call to RegSetValueEx() claims to be passing in a multi-string
596	value, though this may not be true.
597   Mitigation:
598	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
599	    or the NTP Public Services Project Download Page
600   Credit:
601	This weakness was discovered by Cure53.
602
603* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
604   References: Sec 3381
605   Summary:
606	The report says: Statically included external projects
607	potentially introduce several problems and the issue of having
608	extensive amounts of code that is "dead" in the resulting binary
609	must clearly be pointed out.  The unnecessary unused code may or
610	may not contain bugs and, quite possibly, might be leveraged for
611	code-gadget-based branch-flow redirection exploits.  Analogically,
612	having source trees statically included as well means a failure
613	in taking advantage of the free feature for periodical updates.
614	This solution is offered by the system's Package Manager. The
615	three libraries identified are libisc, libevent, and libopts.
616   Resolution:
617	For libisc, we already only use a portion of the original library.
618	We've found and fixed bugs in the original implementation (and
619	offered the patches to ISC), and plan to see what has changed
620	since we last upgraded the code.  libisc is generally not
621	installed, and when it it we usually only see the static libisc.a
622	file installed.  Until we know for sure that the bugs we've found
623	and fixed are fixed upstream, we're better off with the copy we
624	are using.
625
626        Version 1 of libevent was the only production version available
627	until recently, and we've been requiring version 2 for a long time.
628	But if the build system has at least version 2 of libevent
629	installed, we'll use the version that is installed on the system.
630	Otherwise, we provide a copy of libevent that we know works.
631
632        libopts is provided by GNU AutoGen, and that library and package
633	undergoes frequent API version updates.  The version of autogen
634	used to generate the tables for the code must match the API
635	version in libopts.  AutoGen can be ... difficult to build and
636	install, and very few developers really need it.  So we have it
637	on our build and development machines, and we provide the
638	specific version of the libopts code in the distribution to make
639	sure that the proper API version of libopts is available.
640
641        As for the point about there being code in these libraries that
642	NTP doesn't use, OK.  But other packages used these libraries as
643	well, and it is reasonable to assume that other people are paying
644	attention to security and code quality issues for the overall
645	libraries.  It takes significant resources to analyze and
646	customize these libraries to only include what we need, and to
647	date we believe the cost of this effort does not justify the benefit.
648   Credit:
649	This issue was discovered by Cure53.
650
651* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
652   Date Resolved: 21 Mar 2017
653   References: Sec 3380
654   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
655   	ntp-4.3.0 up to, but not including ntp-4.3.94.
656   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
657   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
658   Summary:
659	There is a fencepost error in a "recovery branch" of the code for
660	the Oncore GPS receiver if the communication link to the ONCORE
661	is weak / distorted and the decoding doesn't work.
662   Mitigation:
663        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
664	    the NTP Public Services Project Download Page
665        Properly monitor your ntpd instances, and auto-restart
666	    ntpd (without -g) if it stops running.
667   Credit:
668	This weakness was discovered by Cure53.
669
670* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
671   Date Resolved: 21 Mar 2017
672   References: Sec 3379 / CVE-2017-6458 / VU#325339
673   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
674	ntp-4.3.0 up to, but not including ntp-4.3.94.
675   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
676   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
677   Summary:
678	ntpd makes use of different wrappers around ctl_putdata() to
679	create name/value ntpq (mode 6) response strings.  For example,
680	ctl_putstr() is usually used to send string data (variable names
681	or string data).  The formatting code was missing a length check
682	for variable names.  If somebody explicitly created any unusually
683	long variable names in ntpd (longer than 200-512 bytes, depending
684	on the type of variable), then if any of these variables are
685	added to the response list it would overflow a buffer.
686   Mitigation:
687	Implement BCP-38.
688	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
689	    or the NTP Public Services Project Download Page
690	If you don't want to upgrade, then don't setvar variable names
691	    longer than 200-512 bytes in your ntp.conf file.
692	Properly monitor your ntpd instances, and auto-restart
693	    ntpd (without -g) if it stops running.
694   Credit:
695	This weakness was discovered by Cure53.
696
697* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
698   Date Resolved: 21 Mar 2017
699   References: Sec 3378 / CVE-2017-6451 / VU#325339
700   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
701	ntp-4.3.0 up to, but not including ntp-4.3.94.
702   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
703   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
704   Summary:
705	The legacy MX4200 refclock is only built if is specifically
706	enabled, and furthermore additional code changes are required to
707	compile and use it.  But it uses the libc functions snprintf()
708	and vsnprintf() incorrectly, which can lead to an out-of-bounds
709	memory write due to an improper handling of the return value of
710	snprintf()/vsnprintf().  Since the return value is used as an
711	iterator and it can be larger than the buffer's size, it is
712	possible for the iterator to point somewhere outside of the
713	allocated buffer space.  This results in an out-of-bound memory
714	write.  This behavior can be leveraged to overwrite a saved
715	instruction pointer on the stack and gain control over the
716	execution flow.  During testing it was not possible to identify
717	any malicious usage for this vulnerability.  Specifically, no
718	way for an attacker to exploit this vulnerability was ultimately
719	unveiled.  However, it has the potential to be exploited, so the
720	code should be fixed.
721   Mitigation, if you have a Magnavox MX4200 refclock:
722	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
723	    or the NTP Public Services Project Download Page.
724	Properly monitor your ntpd instances, and auto-restart
725	    ntpd (without -g) if it stops running.
726   Credit:
727	This weakness was discovered by Cure53.
728
729* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
730	malicious ntpd (Medium)
731   Date Resolved: 21 Mar 2017
732   References: Sec 3377 / CVE-2017-6460 / VU#325339
733   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
734	ntp-4.3.0 up to, but not including ntp-4.3.94.
735   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
736   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
737   Summary:
738	A stack buffer overflow in ntpq can be triggered by a malicious
739	ntpd server when ntpq requests the restriction list from the server.
740	This is due to a missing length check in the reslist() function.
741	It occurs whenever the function parses the server's response and
742	encounters a flagstr variable of an excessive length.  The string
743	will be copied into a fixed-size buffer, leading to an overflow on
744	the function's stack-frame.  Note well that this problem requires
745	a malicious server, and affects ntpq, not ntpd.
746   Mitigation:
747	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
748	    or the NTP Public Services Project Download Page
749	If you can't upgrade your version of ntpq then if you want to know
750	    the reslist of an instance of ntpd that you do not control,
751	    know that if the target ntpd is malicious that it can send back
752	    a response that intends to crash your ntpq process.
753   Credit:
754	This weakness was discovered by Cure53.
755
756* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
757   Date Resolved: 21 Mar 2017
758   References: Sec 3376
759   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
760	ntp-4.3.0 up to, but not including ntp-4.3.94.
761   CVSS2: N/A
762   CVSS3: N/A
763   Summary:
764	The build process for NTP has not, by default, provided compile
765	or link flags to offer "hardened" security options.  Package
766	maintainers have always been able to provide hardening security
767	flags for their builds.  As of ntp-4.2.8p10, the NTP build
768	system has a way to provide OS-specific hardening flags.  Please
769	note that this is still not a really great solution because it
770	is specific to NTP builds.  It's inefficient to have every
771	package supply, track and maintain this information for every
772	target build.  It would be much better if there was a common way
773	for OSes to provide this information in a way that arbitrary
774	packages could benefit from it.
775   Mitigation:
776	Implement BCP-38.
777	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
778	    or the NTP Public Services Project Download Page
779	Properly monitor your ntpd instances, and auto-restart
780	    ntpd (without -g) if it stops running.
781   Credit:
782	This weakness was reported by Cure53.
783
784* 0rigin DoS (Medium)
785   Date Resolved: 21 Mar 2017
786   References: Sec 3361 / CVE-2016-9042 / VU#325339
787   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
788   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
789   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
790   Summary:
791	An exploitable denial of service vulnerability exists in the
792	origin timestamp check functionality of ntpd 4.2.8p9.  A specially
793	crafted unauthenticated network packet can be used to reset the
794	expected origin timestamp for target peers.  Legitimate replies
795	from targeted peers will fail the origin timestamp check (TEST2)
796	causing the reply to be dropped and creating a denial of service
797	condition.  This vulnerability can only be exploited if the
798	attacker can spoof all of the servers.
799   Mitigation:
800	Implement BCP-38.
801	Configure enough servers/peers that an attacker cannot target
802	    all of your time sources.
803	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
804	    or the NTP Public Services Project Download Page
805	Properly monitor your ntpd instances, and auto-restart
806	    ntpd (without -g) if it stops running.
807   Credit:
808	This weakness was discovered by Matthew Van Gundy of Cisco.
809
810Other fixes:
811
812* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
813* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
814  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
815* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
816* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
817  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
818  - original patch by Majdi S. Abbas
819* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
820* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
821  - initial patch by Christos Zoulas
822* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
823  - move loader API from 'inline' to proper source
824  - augment pathless dlls with absolute path to NTPD
825  - use 'msyslog()' instead of 'printf() 'for reporting trouble
826* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
827  - applied patch by Matthew Van Gundy
828* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
829  - applied some of the patches provided by Havard. Not all of them
830    still match the current code base, and I did not touch libopt.
831* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
832  - applied patch by Reinhard Max. See bugzilla for limitations.
833* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
834  - fixed dependency inversion from [Bug 2837]
835* [Bug 2896] Nothing happens if minsane < maxclock < minclock
836  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
837* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
838  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
839* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
840  - Fixed these and some more locations of this pattern.
841    Probably din't get them all, though. <perlinger@ntp.org>
842* Update copyright year.
843
844--
845(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
846
847* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
848  - added missed changeset for automatic openssl lib detection
849  - fixed some minor warning issues
850* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
851* configure.ac cleanup.  stenn@ntp.org
852* openssl configure cleanup.  stenn@ntp.org
853
854--
855NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
856
857Focus: Security, Bug fixes, enhancements.
858
859Severity: HIGH
860
861In addition to bug fixes and enhancements, this release fixes the
862following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
8635 low-severity vulnerabilities, and provides 28 other non-security
864fixes and improvements:
865
866* Trap crash
867   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
868   References: Sec 3119 / CVE-2016-9311 / VU#633847
869   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
870   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
871   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
872   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
873   Summary:
874	ntpd does not enable trap service by default. If trap service
875	has been explicitly enabled, an attacker can send a specially
876	crafted packet to cause a null pointer dereference that will
877	crash ntpd, resulting in a denial of service.
878   Mitigation:
879        Implement BCP-38.
880	Use "restrict default noquery ..." in your ntp.conf file. Only
881	    allow mode 6 queries from trusted networks and hosts.
882        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
883	    or the NTP Public Services Project Download Page
884        Properly monitor your ntpd instances, and auto-restart ntpd
885	    (without -g) if it stops running.
886   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
887
888* Mode 6 information disclosure and DDoS vector
889   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
890   References: Sec 3118 / CVE-2016-9310 / VU#633847
891   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
892	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
893   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
894   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
895   Summary:
896	An exploitable configuration modification vulnerability exists
897	in the control mode (mode 6) functionality of ntpd. If, against
898	long-standing BCP recommendations, "restrict default noquery ..."
899	is not specified, a specially crafted control mode packet can set
900	ntpd traps, providing information disclosure and DDoS
901	amplification, and unset ntpd traps, disabling legitimate
902	monitoring. A remote, unauthenticated, network attacker can
903	trigger this vulnerability.
904   Mitigation:
905        Implement BCP-38.
906	Use "restrict default noquery ..." in your ntp.conf file.
907        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
908	    or the NTP Public Services Project Download Page
909        Properly monitor your ntpd instances, and auto-restart ntpd
910	    (without -g) if it stops running.
911   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
912
913* Broadcast Mode Replay Prevention DoS
914   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
915   References: Sec 3114 / CVE-2016-7427 / VU#633847
916   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
917	ntp-4.3.90 up to, but not including ntp-4.3.94.
918   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
919   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
920   Summary:
921	The broadcast mode of NTP is expected to only be used in a
922	trusted network. If the broadcast network is accessible to an
923	attacker, a potentially exploitable denial of service
924	vulnerability in ntpd's broadcast mode replay prevention
925	functionality can be abused. An attacker with access to the NTP
926	broadcast domain can periodically inject specially crafted
927	broadcast mode NTP packets into the broadcast domain which,
928	while being logged by ntpd, can cause ntpd to reject broadcast
929	mode packets from legitimate NTP broadcast servers.
930   Mitigation:
931        Implement BCP-38.
932        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
933	    or the NTP Public Services Project Download Page
934        Properly monitor your ntpd instances, and auto-restart ntpd
935	    (without -g) if it stops running.
936   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
937
938* Broadcast Mode Poll Interval Enforcement DoS
939   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
940   References: Sec 3113 / CVE-2016-7428 / VU#633847
941   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
942	ntp-4.3.90 up to, but not including ntp-4.3.94
943   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
944   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
945   Summary:
946	The broadcast mode of NTP is expected to only be used in a
947	trusted network. If the broadcast network is accessible to an
948	attacker, a potentially exploitable denial of service
949	vulnerability in ntpd's broadcast mode poll interval enforcement
950	functionality can be abused. To limit abuse, ntpd restricts the
951	rate at which each broadcast association will process incoming
952	packets. ntpd will reject broadcast mode packets that arrive
953	before the poll interval specified in the preceding broadcast
954	packet expires. An attacker with access to the NTP broadcast
955	domain can send specially crafted broadcast mode NTP packets to
956	the broadcast domain which, while being logged by ntpd, will
957	cause ntpd to reject broadcast mode packets from legitimate NTP
958	broadcast servers.
959   Mitigation:
960        Implement BCP-38.
961        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
962	    or the NTP Public Services Project Download Page
963        Properly monitor your ntpd instances, and auto-restart ntpd
964	    (without -g) if it stops running.
965   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
966
967* Windows: ntpd DoS by oversized UDP packet
968   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
969   References: Sec 3110 / CVE-2016-9312 / VU#633847
970   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
971	and ntp-4.3.0 up to, but not including ntp-4.3.94.
972   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
973   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
974   Summary:
975	If a vulnerable instance of ntpd on Windows receives a crafted
976	malicious packet that is "too big", ntpd will stop working.
977   Mitigation:
978        Implement BCP-38.
979        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
980	    or the NTP Public Services Project Download Page
981        Properly monitor your ntpd instances, and auto-restart ntpd
982	    (without -g) if it stops running.
983   Credit: This weakness was discovered by Robert Pajak of ABB.
984
985* 0rigin (zero origin) issues
986   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
987   References: Sec 3102 / CVE-2016-7431 / VU#633847
988   Affects: ntp-4.2.8p8, and ntp-4.3.93.
989   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
990   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
991   Summary:
992	Zero Origin timestamp problems were fixed by Bug 2945 in
993	ntp-4.2.8p6. However, subsequent timestamp validation checks
994	introduced a regression in the handling of some Zero origin
995	timestamp checks.
996   Mitigation:
997        Implement BCP-38.
998        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
999	    or the NTP Public Services Project Download Page
1000        Properly monitor your ntpd instances, and auto-restart ntpd
1001	    (without -g) if it stops running.
1002   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
1003	Malhotra of Boston University.
1004
1005* read_mru_list() does inadequate incoming packet checks
1006   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1007   References: Sec 3082 / CVE-2016-7434 / VU#633847
1008   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
1009	ntp-4.3.0 up to, but not including ntp-4.3.94.
1010   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
1011   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1012   Summary:
1013	If ntpd is configured to allow mrulist query requests from a
1014	server that sends a crafted malicious packet, ntpd will crash
1015	on receipt of that crafted malicious mrulist query packet.
1016   Mitigation:
1017	Only allow mrulist query packets from trusted hosts.
1018        Implement BCP-38.
1019        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1020	    or the NTP Public Services Project Download Page
1021        Properly monitor your ntpd instances, and auto-restart ntpd
1022	    (without -g) if it stops running.
1023   Credit: This weakness was discovered by Magnus Stubman.
1024
1025* Attack on interface selection
1026   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1027   References: Sec 3072 / CVE-2016-7429 / VU#633847
1028   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1029	ntp-4.3.0 up to, but not including ntp-4.3.94
1030   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1031   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1032   Summary:
1033	When ntpd receives a server response on a socket that corresponds
1034	to a different interface than was used for the request, the peer
1035	structure is updated to use the interface for new requests. If
1036	ntpd is running on a host with multiple interfaces in separate
1037	networks and the operating system doesn't check source address in
1038	received packets (e.g. rp_filter on Linux is set to 0), an
1039	attacker that knows the address of the source can send a packet
1040	with spoofed source address which will cause ntpd to select wrong
1041	interface for the source and prevent it from sending new requests
1042	until the list of interfaces is refreshed, which happens on
1043	routing changes or every 5 minutes by default. If the attack is
1044	repeated often enough (once per second), ntpd will not be able to
1045	synchronize with the source.
1046   Mitigation:
1047        Implement BCP-38.
1048        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1049	    or the NTP Public Services Project Download Page
1050	If you are going to configure your OS to disable source address
1051	    checks, also configure your firewall configuration to control
1052	    what interfaces can receive packets from what networks.
1053        Properly monitor your ntpd instances, and auto-restart ntpd
1054	    (without -g) if it stops running.
1055   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1056
1057* Client rate limiting and server responses
1058   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1059   References: Sec 3071 / CVE-2016-7426 / VU#633847
1060   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
1061	ntp-4.3.0 up to, but not including ntp-4.3.94
1062   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1063   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1064   Summary:
1065	When ntpd is configured with rate limiting for all associations
1066	(restrict default limited in ntp.conf), the limits are applied
1067	also to responses received from its configured sources. An
1068	attacker who knows the sources (e.g., from an IPv4 refid in
1069	server response) and knows the system is (mis)configured in this
1070	way can periodically send packets with spoofed source address to
1071	keep the rate limiting activated and prevent ntpd from accepting
1072	valid responses from its sources.
1073
1074	While this blanket rate limiting can be useful to prevent
1075	brute-force attacks on the origin timestamp, it allows this DoS
1076	attack. Similarly, it allows the attacker to prevent mobilization
1077	of ephemeral associations.
1078   Mitigation:
1079        Implement BCP-38.
1080        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1081	    or the NTP Public Services Project Download Page
1082        Properly monitor your ntpd instances, and auto-restart ntpd
1083	    (without -g) if it stops running.
1084   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1085
1086* Fix for bug 2085 broke initial sync calculations
1087   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1088   References: Sec 3067 / CVE-2016-7433 / VU#633847
1089   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1090	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
1091	root-distance calculation in general is incorrect in all versions
1092	of ntp-4 until this release.
1093   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
1094   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
1095   Summary:
1096	Bug 2085 described a condition where the root delay was included
1097	twice, causing the jitter value to be higher than expected. Due
1098	to a misinterpretation of a small-print variable in The Book, the
1099	fix for this problem was incorrect, resulting in a root distance
1100	that did not include the peer dispersion. The calculations and
1101	formulae have been reviewed and reconciled, and the code has been
1102	updated accordingly.
1103   Mitigation:
1104        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1105	    or the NTP Public Services Project Download Page
1106        Properly monitor your ntpd instances, and auto-restart ntpd
1107	    (without -g) if it stops running.
1108   Credit: This weakness was discovered independently by Brian Utterback of
1109	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
1110
1111Other fixes:
1112
1113* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
1114* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
1115* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
1116  - moved retry decision where it belongs. <perlinger@ntp.org>
1117* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
1118  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
1119* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
1120* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
1121  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
1122* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
1123  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
1124  - added shim layer for SSL API calls with issues (both directions)
1125* [Bug 3089] Serial Parser does not work anymore for hopfser like device
1126  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
1127* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
1128* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
1129  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
1130* [Bug 3067] Root distance calculation needs improvement.  HStenn
1131* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
1132  - PPS-HACK works again.
1133* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
1134  - applied patch by Brian Utterback <brian.utterback@oracle.com>
1135* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
1136* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
1137  <perlinger@ntp.org>
1138  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
1139* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
1140  - Patch provided by Kuramatsu.
1141* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
1142  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
1143* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
1144* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
1145* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
1146* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
1147  - fixed GPS week expansion to work based on build date. Special thanks
1148    to Craig Leres for initial patch and testing.
1149* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
1150  - fixed Makefile.am <perlinger@ntp.org>
1151* [Bug 2689] ATOM driver processes last PPS pulse at startup,
1152             even if it is very old <perlinger@ntp.org>
1153  - make sure PPS source is alive before processing samples
1154  - improve stability close to the 500ms phase jump (phase gate)
1155* Fix typos in include/ntp.h.
1156* Shim X509_get_signature_nid() if needed
1157* git author attribution cleanup
1158* bk ignore file cleanup
1159* remove locks in Windows IO, use rpc-like thread synchronisation instead
1160
1161---
1162NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
1163
1164Focus: Security, Bug fixes, enhancements.
1165
1166Severity: HIGH
1167
1168In addition to bug fixes and enhancements, this release fixes the
1169following 1 high- and 4 low-severity vulnerabilities:
1170
1171* CRYPTO_NAK crash
1172   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1173   References: Sec 3046 / CVE-2016-4957 / VU#321640
1174   Affects: ntp-4.2.8p7, and ntp-4.3.92.
1175   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1176   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1177   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
1178	could cause ntpd to crash.
1179   Mitigation:
1180        Implement BCP-38.
1181        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1182	    or the NTP Public Services Project Download Page
1183        If you cannot upgrade from 4.2.8p7, the only other alternatives
1184	    are to patch your code or filter CRYPTO_NAK packets.
1185        Properly monitor your ntpd instances, and auto-restart ntpd
1186	    (without -g) if it stops running.
1187   Credit: This weakness was discovered by Nicolas Edet of Cisco.
1188
1189* Bad authentication demobilizes ephemeral associations
1190   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1191   References: Sec 3045 / CVE-2016-4953 / VU#321640
1192   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1193	ntp-4.3.0 up to, but not including ntp-4.3.93.
1194   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1195   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1196   Summary: An attacker who knows the origin timestamp and can send a
1197	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
1198	target before any other response is sent can demobilize that
1199	association.
1200   Mitigation:
1201	Implement BCP-38.
1202	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1203	    or the NTP Public Services Project Download Page
1204	Properly monitor your ntpd instances.
1205	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1206
1207* Processing spoofed server packets
1208   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1209   References: Sec 3044 / CVE-2016-4954 / VU#321640
1210   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1211	ntp-4.3.0 up to, but not including ntp-4.3.93.
1212   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1213   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1214   Summary: An attacker who is able to spoof packets with correct origin
1215	timestamps from enough servers before the expected response
1216	packets arrive at the target machine can affect some peer
1217	variables and, for example, cause a false leap indication to be set.
1218   Mitigation:
1219	Implement BCP-38.
1220	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1221	    or the NTP Public Services Project Download Page
1222	Properly monitor your ntpd instances.
1223   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
1224
1225* Autokey association reset
1226   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1227   References: Sec 3043 / CVE-2016-4955 / VU#321640
1228   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1229	ntp-4.3.0 up to, but not including ntp-4.3.93.
1230   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1231   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1232   Summary: An attacker who is able to spoof a packet with a correct
1233	origin timestamp before the expected response packet arrives at
1234	the target machine can send a CRYPTO_NAK or a bad MAC and cause
1235	the association's peer variables to be cleared. If this can be
1236	done often enough, it will prevent that association from working.
1237   Mitigation:
1238	Implement BCP-38.
1239	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1240	    or the NTP Public Services Project Download Page
1241	Properly monitor your ntpd instances.
1242   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1243
1244* Broadcast interleave
1245   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1246   References: Sec 3042 / CVE-2016-4956 / VU#321640
1247   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1248   	ntp-4.3.0 up to, but not including ntp-4.3.93.
1249   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1250   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1251   Summary: The fix for NtpBug2978 does not cover broadcast associations,
1252   	so broadcast clients can be triggered to flip into interleave mode.
1253   Mitigation:
1254	Implement BCP-38.
1255	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1256	    or the NTP Public Services Project Download Page
1257	Properly monitor your ntpd instances.
1258   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1259
1260Other fixes:
1261* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
1262  - provide build environment
1263  - 'wint_t' and 'struct timespec' defined by VS2015
1264  - fixed print()/scanf() format issues
1265* [Bug 3052] Add a .gitignore file.  Edmund Wong.
1266* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
1267* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
1268  JPerlinger, HStenn.
1269* Fix typo in ntp-wait and plot_summary.  HStenn.
1270* Make sure we have an "author" file for git imports.  HStenn.
1271* Update the sntp problem tests for MacOS.  HStenn.
1272
1273---
1274NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
1275
1276Focus: Security, Bug fixes, enhancements.
1277
1278Severity: MEDIUM
1279
1280When building NTP from source, there is a new configure option
1281available, --enable-dynamic-interleave.  More information on this below.
1282
1283Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
1284versions of ntp.  These events have almost certainly happened in the
1285past, it's just that they were silently counted and not logged.  With
1286the increasing awareness around security, we feel it's better to clearly
1287log these events to help detect abusive behavior.  This increased
1288logging can also help detect other problems, too.
1289
1290In addition to bug fixes and enhancements, this release fixes the
1291following 9 low- and medium-severity vulnerabilities:
1292
1293* Improve NTP security against buffer comparison timing attacks,
1294  AKA: authdecrypt-timing
1295   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1296   References: Sec 2879 / CVE-2016-1550
1297   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1298	4.3.0 up to, but not including 4.3.92
1299   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
1300   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1301   Summary: Packet authentication tests have been performed using
1302	memcmp() or possibly bcmp(), and it is potentially possible
1303	for a local or perhaps LAN-based attacker to send a packet with
1304	an authentication payload and indirectly observe how much of
1305	the digest has matched.
1306   Mitigation:
1307	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1308	    or the NTP Public Services Project Download Page.
1309	Properly monitor your ntpd instances.
1310   Credit: This weakness was discovered independently by Loganaden
1311   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
1312
1313* Zero origin timestamp bypass: Additional KoD checks.
1314   References: Sec 2945 / Sec 2901 / CVE-2015-8138
1315   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1316   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
1317
1318* peer associations were broken by the fix for NtpBug2899
1319   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1320   References: Sec 2952 / CVE-2015-7704
1321   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1322   	4.3.0 up to, but not including 4.3.92
1323   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1324   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
1325   	associations did not address all of the issues.
1326   Mitigation:
1327        Implement BCP-38.
1328        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1329	    or the NTP Public Services Project Download Page
1330        If you can't upgrade, use "server" associations instead of
1331	    "peer" associations.
1332        Monitor your ntpd instances.
1333   Credit: This problem was discovered by Michael Tatarinov.
1334
1335* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
1336   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1337   References: Sec 3007 / CVE-2016-1547 / VU#718152
1338   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1339	4.3.0 up to, but not including 4.3.92
1340   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1341   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1342   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
1343	off-path attacker can cause a preemptable client association to
1344	be demobilized by sending a crypto NAK packet to a victim client
1345	with a spoofed source address of an existing associated peer.
1346	This is true even if authentication is enabled.
1347
1348	Furthermore, if the attacker keeps sending crypto NAK packets,
1349	for example one every second, the victim never has a chance to
1350	reestablish the association and synchronize time with that
1351	legitimate server.
1352
1353	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
1354	stringent checks are performed on incoming packets, but there
1355	are still ways to exploit this vulnerability in versions before
1356	ntp-4.2.8p7.
1357   Mitigation:
1358	Implement BCP-38.
1359	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1360	    or the NTP Public Services Project Download Page
1361	Properly monitor your ntpd instances
1362   Credit: This weakness was discovered by Stephen Gray and
1363   	Matthew Van Gundy of Cisco ASIG.
1364
1365* ctl_getitem() return value not always checked
1366   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1367   References: Sec 3008 / CVE-2016-2519
1368   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1369	4.3.0 up to, but not including 4.3.92
1370   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1371   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1372   Summary: ntpq and ntpdc can be used to store and retrieve information
1373   	in ntpd. It is possible to store a data value that is larger
1374	than the size of the buffer that the ctl_getitem() function of
1375	ntpd uses to report the return value. If the length of the
1376	requested data value returned by ctl_getitem() is too large,
1377	the value NULL is returned instead. There are 2 cases where the
1378	return value from ctl_getitem() was not directly checked to make
1379	sure it's not NULL, but there are subsequent INSIST() checks
1380	that make sure the return value is not NULL. There are no data
1381	values ordinarily stored in ntpd that would exceed this buffer
1382	length. But if one has permission to store values and one stores
1383	a value that is "too large", then ntpd will abort if an attempt
1384	is made to read that oversized value.
1385    Mitigation:
1386        Implement BCP-38.
1387        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1388	    or the NTP Public Services Project Download Page
1389        Properly monitor your ntpd instances.
1390    Credit: This weakness was discovered by Yihan Lian of the Cloud
1391    	Security Team, Qihoo 360.
1392
1393* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
1394   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1395   References: Sec 3009 / CVE-2016-2518 / VU#718152
1396   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1397	4.3.0 up to, but not including 4.3.92
1398   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1399   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1400   Summary: Using a crafted packet to create a peer association with
1401   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
1402	out-of-bounds reference.
1403   Mitigation:
1404	Implement BCP-38.
1405	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1406	    or the NTP Public Services Project Download Page
1407	Properly monitor your ntpd instances
1408   Credit: This weakness was discovered by Yihan Lian of the Cloud
1409   	Security Team, Qihoo 360.
1410
1411* remote configuration trustedkey/requestkey/controlkey values are not
1412	properly validated
1413   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1414   References: Sec 3010 / CVE-2016-2517 / VU#718152
1415   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1416	4.3.0 up to, but not including 4.3.92
1417   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1418   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1419   Summary: If ntpd was expressly configured to allow for remote
1420   	configuration, a malicious user who knows the controlkey for
1421	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1422	can create a session with ntpd and then send a crafted packet to
1423	ntpd that will change the value of the trustedkey, controlkey,
1424	or requestkey to a value that will prevent any subsequent
1425	authentication with ntpd until ntpd is restarted.
1426   Mitigation:
1427	Implement BCP-38.
1428	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1429	    or the NTP Public Services Project Download Page
1430	Properly monitor your ntpd instances
1431   Credit: This weakness was discovered by Yihan Lian of the Cloud
1432   	Security Team, Qihoo 360.
1433
1434* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1435   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1436   References: Sec 3011 / CVE-2016-2516 / VU#718152
1437   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1438   	4.3.0 up to, but not including 4.3.92
1439   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1440   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1441   Summary: If ntpd was expressly configured to allow for remote
1442   	configuration, a malicious user who knows the controlkey for
1443	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1444	can create a session with ntpd and if an existing association is
1445	unconfigured using the same IP twice on the unconfig directive
1446	line, ntpd will abort.
1447   Mitigation:
1448	Implement BCP-38.
1449	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1450	    or the NTP Public Services Project Download Page
1451	Properly monitor your ntpd instances
1452   Credit: This weakness was discovered by Yihan Lian of the Cloud
1453   	Security Team, Qihoo 360.
1454
1455* Refclock impersonation vulnerability
1456   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1457   References: Sec 3020 / CVE-2016-1551
1458   Affects: On a very limited number of OSes, all NTP releases up to but
1459	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1460	By "very limited number of OSes" we mean no general-purpose OSes
1461	have yet been identified that have this vulnerability.
1462   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1463   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1464   Summary: While most OSes implement martian packet filtering in their
1465   	network stack, at least regarding 127.0.0.0/8, some will allow
1466	packets claiming to be from 127.0.0.0/8 that arrive over a
1467	physical network. On these OSes, if ntpd is configured to use a
1468	reference clock an attacker can inject packets over the network
1469	that look like they are coming from that reference clock.
1470   Mitigation:
1471        Implement martian packet filtering and BCP-38.
1472        Configure ntpd to use an adequate number of time sources.
1473        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1474	    or the NTP Public Services Project Download Page
1475        If you are unable to upgrade and if you are running an OS that
1476	    has this vulnerability, implement martian packet filters and
1477	    lobby your OS vendor to fix this problem, or run your
1478	    refclocks on computers that use OSes that are not vulnerable
1479	    to these attacks and have your vulnerable machines get their
1480	    time from protected resources.
1481        Properly monitor your ntpd instances.
1482   Credit: This weakness was discovered by Matt Street and others of
1483   	Cisco ASIG.
1484
1485The following issues were fixed in earlier releases and contain
1486improvements in 4.2.8p7:
1487
1488* Clients that receive a KoD should validate the origin timestamp field.
1489   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1490   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1491   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1492
1493* Skeleton key: passive server with trusted key can serve time.
1494   References: Sec 2936 / CVE-2015-7974
1495   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1496   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1497
1498Two other vulnerabilities have been reported, and the mitigations
1499for these are as follows:
1500
1501* Interleave-pivot
1502   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1503   References: Sec 2978 / CVE-2016-1548
1504   Affects: All ntp-4 releases.
1505   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1506   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1507   Summary: It is possible to change the time of an ntpd client or deny
1508   	service to an ntpd client by forcing it to change from basic
1509	client/server mode to interleaved symmetric mode. An attacker
1510	can spoof a packet from a legitimate ntpd server with an origin
1511	timestamp that matches the peer->dst timestamp recorded for that
1512	server. After making this switch, the client will reject all
1513	future legitimate server responses. It is possible to force the
1514	victim client to move time after the mode has been changed.
1515	ntpq gives no indication that the mode has been switched.
1516   Mitigation:
1517        Implement BCP-38.
1518        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1519	    or the NTP Public Services Project Download Page.  These
1520	    versions will not dynamically "flip" into interleave mode
1521	    unless configured to do so.
1522        Properly monitor your ntpd instances.
1523   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
1524   	and separately by Jonathan Gardner of Cisco ASIG.
1525
1526* Sybil vulnerability: ephemeral association attack
1527   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1528   References: Sec 3012 / CVE-2016-1549
1529   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1530   	4.3.0 up to, but not including 4.3.92
1531   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
1532   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1533   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
1534   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
1535	field in the ntp.keys file to specify which IPs can serve time,
1536	a malicious authenticated peer can create arbitrarily-many
1537	ephemeral associations in order to win the clock selection of
1538	ntpd and modify a victim's clock.
1539   Mitigation:
1540        Implement BCP-38.
1541        Use the 4th field in the ntp.keys file to specify which IPs
1542	    can be time servers.
1543        Properly monitor your ntpd instances.
1544   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1545
1546Other fixes:
1547
1548* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
1549  - fixed yet another race condition in the threaded resolver code.
1550* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
1551* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
1552  - integrated patches by Loganaden Velvidron <logan@ntp.org>
1553    with some modifications & unit tests
1554* [Bug 2960] async name resolution fixes for chroot() environments.
1555  Reinhard Max.
1556* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
1557* [Bug 2995] Fixes to compile on Windows
1558* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
1559* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
1560  - Patch provided by Ch. Weisgerber
1561* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
1562  - A change related to [Bug 2853] forbids trailing white space in
1563    remote config commands. perlinger@ntp.org
1564* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
1565  - report and patch from Aleksandr Kostikov.
1566  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
1567* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
1568  - fixed memory leak in access list (auth[read]keys.c)
1569  - refactored handling of key access lists (auth[read]keys.c)
1570  - reduced number of error branches (authreadkeys.c)
1571* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
1572* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
1573* [Bug 3031] ntp broadcastclient unable to synchronize to an server
1574             when the time of server changed. perlinger@ntp.org
1575  - Check the initial delay calculation and reject/unpeer the broadcast
1576    server if the delay exceeds 50ms. Retry again after the next
1577    broadcast packet.
1578* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
1579* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
1580* Update html/xleave.html documentation.  Harlan Stenn.
1581* Update ntp.conf documentation.  Harlan Stenn.
1582* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
1583* Fix typo in html/monopt.html.  Harlan Stenn.
1584* Add README.pullrequests.  Harlan Stenn.
1585* Cleanup to include/ntp.h.  Harlan Stenn.
1586
1587New option to 'configure':
1588
1589While looking in to the issues around Bug 2978, the "interleave pivot"
1590issue, it became clear that there are some intricate and unresolved
1591issues with interleave operations.  We also realized that the interleave
1592protocol was never added to the NTPv4 Standard, and it should have been.
1593
1594Interleave mode was first released in July of 2008, and can be engaged
1595in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
1596contain the 'xleave' option, which will expressly enable interlave mode
1597for that association.  Additionally, if a time packet arrives and is
1598found inconsistent with normal protocol behavior but has certain
1599characteristics that are compatible with interleave mode, NTP will
1600dynamically switch to interleave mode.  With sufficient knowledge, an
1601attacker can send a crafted forged packet to an NTP instance that
1602triggers only one side to enter interleaved mode.
1603
1604To prevent this attack until we can thoroughly document, describe,
1605fix, and test the dynamic interleave mode, we've added a new
1606'configure' option to the build process:
1607
1608 --enable-dynamic-interleave
1609
1610This option controls whether or not NTP will, if conditions are right,
1611engage dynamic interleave mode.  Dynamic interleave mode is disabled by
1612default in ntp-4.2.8p7.
1613
1614---
1615NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
1616
1617Focus: Security, Bug fixes, enhancements.
1618
1619Severity: MEDIUM
1620
1621In addition to bug fixes and enhancements, this release fixes the
1622following 1 low- and 8 medium-severity vulnerabilities:
1623
1624* Potential Infinite Loop in 'ntpq'
1625   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1626   References: Sec 2548 / CVE-2015-8158
1627   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1628	4.3.0 up to, but not including 4.3.90
1629   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1630   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1631   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
1632	The loop's only stopping conditions are receiving a complete and
1633	correct response or hitting a small number of error conditions.
1634	If the packet contains incorrect values that don't trigger one of
1635	the error conditions, the loop continues to receive new packets.
1636	Note well, this is an attack against an instance of 'ntpq', not
1637	'ntpd', and this attack requires the attacker to do one of the
1638	following:
1639	* Own a malicious NTP server that the client trusts
1640	* Prevent a legitimate NTP server from sending packets to
1641	    the 'ntpq' client
1642	* MITM the 'ntpq' communications between the 'ntpq' client
1643	    and the NTP server
1644   Mitigation:
1645	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1646	or the NTP Public Services Project Download Page
1647   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1648
1649* 0rigin: Zero Origin Timestamp Bypass
1650   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1651   References: Sec 2945 / CVE-2015-8138
1652   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1653	4.3.0 up to, but not including 4.3.90
1654   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
1655   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1656	(3.7 - LOW if you score AC:L)
1657   Summary: To distinguish legitimate peer responses from forgeries, a
1658	client attempts to verify a response packet by ensuring that the
1659	origin timestamp in the packet matches the origin timestamp it
1660	transmitted in its last request.  A logic error exists that
1661	allows packets with an origin timestamp of zero to bypass this
1662	check whenever there is not an outstanding request to the server.
1663   Mitigation:
1664	Configure 'ntpd' to get time from multiple sources.
1665	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1666	    or the NTP Public Services Project Download Page.
1667	Monitor your 'ntpd' instances.
1668   Credit: This weakness was discovered by Matthey Van Gundy and
1669	Jonathan Gardner of Cisco ASIG.
1670
1671* Stack exhaustion in recursive traversal of restriction list
1672   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
1673   References: Sec 2940 / CVE-2015-7978
1674   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1675	4.3.0 up to, but not including 4.3.90
1676   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1677   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1678   	segmentation fault in ntpd by exhausting the call stack.
1679   Mitigation:
1680	Implement BCP-38.
1681	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1682	    or the NTP Public Services Project Download Page.
1683	If you are unable to upgrade:
1684            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1685	    If you must enable mode 7:
1686		configure the use of a 'requestkey' to control who can
1687		    issue mode 7 requests.
1688		configure 'restrict noquery' to further limit mode 7
1689		    requests to trusted sources.
1690		Monitor your ntpd instances.
1691   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
1692
1693* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
1694   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1695   References: Sec 2942 / CVE-2015-7979
1696   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1697	4.3.0 up to, but not including 4.3.90
1698   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
1699   Summary: An off-path attacker can send broadcast packets with bad
1700	authentication (wrong key, mismatched key, incorrect MAC, etc)
1701	to broadcast clients. It is observed that the broadcast client
1702	tears down the association with the broadcast server upon
1703	receiving just one bad packet.
1704   Mitigation:
1705	Implement BCP-38.
1706	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1707	or the NTP Public Services Project Download Page.
1708	Monitor your 'ntpd' instances.
1709	If this sort of attack is an active problem for you, you have
1710	    deeper problems to investigate.  In this case also consider
1711	    having smaller NTP broadcast domains.
1712   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1713   	University.
1714
1715* reslist NULL pointer dereference
1716   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1717   References: Sec 2939 / CVE-2015-7977
1718   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1719	4.3.0 up to, but not including 4.3.90
1720   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1721   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1722	segmentation fault in ntpd by causing a NULL pointer dereference.
1723   Mitigation:
1724	Implement BCP-38.
1725	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
1726	the NTP Public Services Project Download Page.
1727	If you are unable to upgrade:
1728	    mode 7 is disabled by default.  Don't enable it.
1729	    If you must enable mode 7:
1730		configure the use of a 'requestkey' to control who can
1731		    issue mode 7 requests.
1732		configure 'restrict noquery' to further limit mode 7
1733		    requests to trusted sources.
1734	Monitor your ntpd instances.
1735   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
1736
1737* 'ntpq saveconfig' command allows dangerous characters in filenames.
1738   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1739   References: Sec 2938 / CVE-2015-7976
1740   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1741	4.3.0 up to, but not including 4.3.90
1742   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
1743   Summary: The ntpq saveconfig command does not do adequate filtering
1744   	of special characters from the supplied filename.
1745	Note well: The ability to use the saveconfig command is controlled
1746	by the 'restrict nomodify' directive, and the recommended default
1747	configuration is to disable this capability.  If the ability to
1748	execute a 'saveconfig' is required, it can easily (and should) be
1749	limited and restricted to a known small number of IP addresses.
1750   Mitigation:
1751	Implement BCP-38.
1752	use 'restrict default nomodify' in your 'ntp.conf' file.
1753	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
1754	If you are unable to upgrade:
1755	    build NTP with 'configure --disable-saveconfig' if you will
1756	    	never need this capability, or
1757	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
1758		careful about what IPs have the ability to send 'modify'
1759		requests to 'ntpd'.
1760	Monitor your ntpd instances.
1761	'saveconfig' requests are logged to syslog - monitor your syslog files.
1762   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1763
1764* nextvar() missing length check in ntpq
1765   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1766   References: Sec 2937 / CVE-2015-7975
1767   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1768	4.3.0 up to, but not including 4.3.90
1769   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
1770	If you score A:C, this becomes 4.0.
1771   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
1772   Summary: ntpq may call nextvar() which executes a memcpy() into the
1773	name buffer without a proper length check against its maximum
1774	length of 256 bytes. Note well that we're taking about ntpq here.
1775	The usual worst-case effect of this vulnerability is that the
1776	specific instance of ntpq will crash and the person or process
1777	that did this will have stopped themselves.
1778   Mitigation:
1779	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1780	    or the NTP Public Services Project Download Page.
1781	If you are unable to upgrade:
1782	    If you have scripts that feed input to ntpq make sure there are
1783		some sanity checks on the input received from the "outside".
1784	    This is potentially more dangerous if ntpq is run as root.
1785   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
1786
1787* Skeleton Key: Any trusted key system can serve time
1788   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1789   References: Sec 2936 / CVE-2015-7974
1790   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1791	4.3.0 up to, but not including 4.3.90
1792   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
1793   Summary: Symmetric key encryption uses a shared trusted key. The
1794	reported title for this issue was "Missing key check allows
1795	impersonation between authenticated peers" and the report claimed
1796	"A key specified only for one server should only work to
1797	authenticate that server, other trusted keys should be refused."
1798	Except there has never been any correlation between this trusted
1799	key and server v. clients machines and there has never been any
1800	way to specify a key only for one server. We have treated this as
1801	an enhancement request, and ntp-4.2.8p6 includes other checks and
1802	tests to strengthen clients against attacks coming from broadcast
1803	servers.
1804   Mitigation:
1805	Implement BCP-38.
1806	If this scenario represents a real or a potential issue for you,
1807	    upgrade to 4.2.8p6, or later, from the NTP Project Download
1808	    Page or the NTP Public Services Project Download Page, and
1809	    use the new field in the ntp.keys file that specifies the list
1810	    of IPs that are allowed to serve time. Note that this alone
1811	    will not protect against time packets with forged source IP
1812	    addresses, however other changes in ntp-4.2.8p6 provide
1813	    significant mitigation against broadcast attacks. MITM attacks
1814	    are a different story.
1815	If you are unable to upgrade:
1816	    Don't use broadcast mode if you cannot monitor your client
1817	    	servers.
1818	    If you choose to use symmetric keys to authenticate time
1819	    	packets in a hostile environment where ephemeral time
1820		servers can be created, or if it is expected that malicious
1821		time servers will participate in an NTP broadcast domain,
1822		limit the number of participating systems that participate
1823		in the shared-key group.
1824	Monitor your ntpd instances.
1825   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
1826
1827* Deja Vu: Replay attack on authenticated broadcast mode
1828   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1829   References: Sec 2935 / CVE-2015-7973
1830   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1831   	4.3.0 up to, but not including 4.3.90
1832   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
1833   Summary: If an NTP network is configured for broadcast operations then
1834   	either a man-in-the-middle attacker or a malicious participant
1835	that has the same trusted keys as the victim can replay time packets.
1836   Mitigation:
1837	Implement BCP-38.
1838	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1839	    or the NTP Public Services Project Download Page.
1840	If you are unable to upgrade:
1841	    Don't use broadcast mode if you cannot monitor your client servers.
1842	Monitor your ntpd instances.
1843   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1844	University.
1845
1846Other fixes:
1847
1848* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
1849* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
1850  - applied patch by shenpeng11@huawei.com with minor adjustments
1851* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
1852* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
1853* [Bug 2892] Several test cases assume IPv6 capabilities even when
1854             IPv6 is disabled in the build. perlinger@ntp.org
1855  - Found this already fixed, but validation led to cleanup actions.
1856* [Bug 2905] DNS lookups broken. perlinger@ntp.org
1857  - added limits to stack consumption, fixed some return code handling
1858* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1859  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1860  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
1861* [Bug 2980] reduce number of warnings. perlinger@ntp.org
1862  - integrated several patches from Havard Eidnes (he@uninett.no)
1863* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
1864  - implement 'auth_log2()' using integer bithack instead of float calculation
1865* Make leapsec_query debug messages less verbose.  Harlan Stenn.
1866
1867---
1868NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
1869
1870Focus: Security, Bug fixes, enhancements.
1871
1872Severity: MEDIUM
1873
1874In addition to bug fixes and enhancements, this release fixes the
1875following medium-severity vulnerability:
1876
1877* Small-step/big-step.  Close the panic gate earlier.
1878    References: Sec 2956, CVE-2015-5300
1879    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
1880	4.3.0 up to, but not including 4.3.78
1881    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
1882    Summary: If ntpd is always started with the -g option, which is
1883	common and against long-standing recommendation, and if at the
1884	moment ntpd is restarted an attacker can immediately respond to
1885	enough requests from enough sources trusted by the target, which
1886	is difficult and not common, there is a window of opportunity
1887	where the attacker can cause ntpd to set the time to an
1888	arbitrary value. Similarly, if an attacker is able to respond
1889	to enough requests from enough sources trusted by the target,
1890	the attacker can cause ntpd to abort and restart, at which
1891	point it can tell the target to set the time to an arbitrary
1892	value if and only if ntpd was re-started against long-standing
1893	recommendation with the -g flag, or if ntpd was not given the
1894	-g flag, the attacker can move the target system's time by at
1895	most 900 seconds' time per attack.
1896    Mitigation:
1897	Configure ntpd to get time from multiple sources.
1898	Upgrade to 4.2.8p5, or later, from the NTP Project Download
1899	    Page or the NTP Public Services Project Download Page
1900	As we've long documented, only use the -g option to ntpd in
1901	    cold-start situations.
1902	Monitor your ntpd instances.
1903    Credit: This weakness was discovered by Aanchal Malhotra,
1904	Isaac E. Cohen, and Sharon Goldberg at Boston University.
1905
1906    NOTE WELL: The -g flag disables the limit check on the panic_gate
1907	in ntpd, which is 900 seconds by default. The bug identified by
1908	the researchers at Boston University is that the panic_gate
1909	check was only re-enabled after the first change to the system
1910	clock that was greater than 128 milliseconds, by default. The
1911	correct behavior is that the panic_gate check should be
1912	re-enabled after any initial time correction.
1913
1914	If an attacker is able to inject consistent but erroneous time
1915	responses to your systems via the network or "over the air",
1916	perhaps by spoofing radio, cellphone, or navigation satellite
1917	transmissions, they are in a great position to affect your
1918	system's clock. There comes a point where your very best
1919	defenses include:
1920
1921	    Configure ntpd to get time from multiple sources.
1922	    Monitor your ntpd instances.
1923
1924Other fixes:
1925
1926* Coverity submission process updated from Coverity 5 to Coverity 7.
1927  The NTP codebase has been undergoing regular Coverity scans on an
1928  ongoing basis since 2006.  As part of our recent upgrade from
1929  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
1930  the newly-written Unity test programs.  These were fixed.
1931* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
1932* [Bug 2887] stratum -1 config results as showing value 99
1933  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
1934* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
1935* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
1936* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
1937  - applied patch by Christos Zoulas.  perlinger@ntp.org
1938* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
1939* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
1940  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
1941  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
1942* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
1943  - accept key file only if there are no parsing errors
1944  - fixed size_t/u_int format clash
1945  - fixed wrong use of 'strlcpy'
1946* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
1947* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
1948  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
1949  - promote use of 'size_t' for values that express a size
1950  - use ptr-to-const for read-only arguments
1951  - make sure SOCKET values are not truncated (win32-specific)
1952  - format string fixes
1953* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
1954* [Bug 2967] ntpdate command suffers an assertion failure
1955  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
1956* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
1957              lots of clients. perlinger@ntp.org
1958* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1959  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1960* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
1961* Unity test cleanup.  Harlan Stenn.
1962* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
1963* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
1964* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
1965* Quiet a warning from clang.  Harlan Stenn.
1966
1967---
1968NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
1969
1970Focus: Security, Bug fixes, enhancements.
1971
1972Severity: MEDIUM
1973
1974In addition to bug fixes and enhancements, this release fixes the
1975following 13 low- and medium-severity vulnerabilities:
1976
1977* Incomplete vallen (value length) checks in ntp_crypto.c, leading
1978  to potential crashes or potential code injection/information leakage.
1979
1980    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
1981    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1982    	and 4.3.0 up to, but not including 4.3.77
1983    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1984    Summary: The fix for CVE-2014-9750 was incomplete in that there were
1985    	certain code paths where a packet with particular autokey operations
1986	that contained malicious data was not always being completely
1987	validated. Receipt of these packets can cause ntpd to crash.
1988    Mitigation:
1989        Don't use autokey.
1990	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1991	    Page or the NTP Public Services Project Download Page
1992	Monitor your ntpd instances.
1993	Credit: This weakness was discovered by Tenable Network Security.
1994
1995* Clients that receive a KoD should validate the origin timestamp field.
1996
1997    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1998    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1999	and 4.3.0 up to, but not including 4.3.77
2000    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
2001    Summary: An ntpd client that honors Kiss-of-Death responses will honor
2002    	KoD messages that have been forged by an attacker, causing it to
2003	delay or stop querying its servers for time updates. Also, an
2004	attacker can forge packets that claim to be from the target and
2005	send them to servers often enough that a server that implements
2006	KoD rate limiting will send the target machine a KoD response to
2007	attempt to reduce the rate of incoming packets, or it may also
2008	trigger a firewall block at the server for packets from the target
2009	machine. For either of these attacks to succeed, the attacker must
2010	know what servers the target is communicating with. An attacker
2011	can be anywhere on the Internet and can frequently learn the
2012	identity of the target's time source by sending the target a
2013	time query.
2014    Mitigation:
2015        Implement BCP-38.
2016	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
2017	    or the NTP Public Services Project Download Page
2018	If you can't upgrade, restrict who can query ntpd to learn who
2019	    its servers are, and what IPs are allowed to ask your system
2020	    for the time. This mitigation is heavy-handed.
2021	Monitor your ntpd instances.
2022    Note:
2023    	4.2.8p4 protects against the first attack. For the second attack,
2024    	all we can do is warn when it is happening, which we do in 4.2.8p4.
2025    Credit: This weakness was discovered by Aanchal Malhotra,
2026    	Issac E. Cohen, and Sharon Goldberg of Boston University.
2027
2028* configuration directives to change "pidfile" and "driftfile" should
2029  only be allowed locally.
2030
2031  References: Sec 2902 / CVE-2015-5196
2032  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2033	and 4.3.0 up to, but not including 4.3.77
2034   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
2035   Summary: If ntpd is configured to allow for remote configuration,
2036	and if the (possibly spoofed) source IP address is allowed to
2037	send remote configuration requests, and if the attacker knows
2038	the remote configuration password, it's possible for an attacker
2039	to use the "pidfile" or "driftfile" directives to potentially
2040	overwrite other files.
2041   Mitigation:
2042	Implement BCP-38.
2043	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2044	    Page or the NTP Public Services Project Download Page
2045	If you cannot upgrade, don't enable remote configuration.
2046	If you must enable remote configuration and cannot upgrade,
2047	    remote configuration of NTF's ntpd requires:
2048	    - an explicitly configured trustedkey, and you should also
2049	    	configure a controlkey.
2050	    - access from a permitted IP. You choose the IPs.
2051	    - authentication. Don't disable it. Practice secure key safety.
2052	Monitor your ntpd instances.
2053   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
2054
2055* Slow memory leak in CRYPTO_ASSOC
2056
2057  References: Sec 2909 / CVE-2015-7701
2058  Affects: All ntp-4 releases that use autokey up to, but not
2059    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2060  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
2061  	4.6 otherwise
2062  Summary: If ntpd is configured to use autokey, then an attacker can
2063	send packets to ntpd that will, after several days of ongoing
2064	attack, cause it to run out of memory.
2065  Mitigation:
2066	Don't use autokey.
2067	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2068	    Page or the NTP Public Services Project Download Page
2069	Monitor your ntpd instances.
2070  Credit: This weakness was discovered by Tenable Network Security.
2071
2072* mode 7 loop counter underrun
2073
2074  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
2075  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2076  	and 4.3.0 up to, but not including 4.3.77
2077  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2078  Summary: If ntpd is configured to enable mode 7 packets, and if the
2079	use of mode 7 packets is not properly protected thru the use of
2080	the available mode 7 authentication and restriction mechanisms,
2081	and if the (possibly spoofed) source IP address is allowed to
2082	send mode 7 queries, then an attacker can send a crafted packet
2083	to ntpd that will cause it to crash.
2084  Mitigation:
2085	Implement BCP-38.
2086	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2087	    Page or the NTP Public Services Project Download Page.
2088	      If you are unable to upgrade:
2089	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2090	If you must enable mode 7:
2091	    configure the use of a requestkey to control who can issue
2092		mode 7 requests.
2093	    configure restrict noquery to further limit mode 7 requests
2094		to trusted sources.
2095	Monitor your ntpd instances.
2096Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
2097
2098* memory corruption in password store
2099
2100  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
2101  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2102  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
2103  Summary: If ntpd is configured to allow remote configuration, and if
2104	the (possibly spoofed) source IP address is allowed to send
2105	remote configuration requests, and if the attacker knows the
2106	remote configuration password or if ntpd was configured to
2107	disable authentication, then an attacker can send a set of
2108	packets to ntpd that may cause a crash or theoretically
2109	perform a code injection attack.
2110  Mitigation:
2111	Implement BCP-38.
2112	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2113	    Page or the NTP Public Services Project Download Page.
2114	If you are unable to upgrade, remote configuration of NTF's
2115	    ntpd requires:
2116		an explicitly configured "trusted" key. Only configure
2117			this if you need it.
2118		access from a permitted IP address. You choose the IPs.
2119		authentication. Don't disable it. Practice secure key safety.
2120	Monitor your ntpd instances.
2121  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2122
2123* Infinite loop if extended logging enabled and the logfile and
2124  keyfile are the same.
2125
2126    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
2127    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2128	and 4.3.0 up to, but not including 4.3.77
2129    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2130    Summary: If ntpd is configured to allow remote configuration, and if
2131	the (possibly spoofed) source IP address is allowed to send
2132	remote configuration requests, and if the attacker knows the
2133	remote configuration password or if ntpd was configured to
2134	disable authentication, then an attacker can send a set of
2135	packets to ntpd that will cause it to crash and/or create a
2136	potentially huge log file. Specifically, the attacker could
2137	enable extended logging, point the key file at the log file,
2138	and cause what amounts to an infinite loop.
2139    Mitigation:
2140	Implement BCP-38.
2141	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2142	    Page or the NTP Public Services Project Download Page.
2143	If you are unable to upgrade, remote configuration of NTF's ntpd
2144	  requires:
2145            an explicitly configured "trusted" key. Only configure this
2146	    	if you need it.
2147            access from a permitted IP address. You choose the IPs.
2148            authentication. Don't disable it. Practice secure key safety.
2149        Monitor your ntpd instances.
2150    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2151
2152* Potential path traversal vulnerability in the config file saving of
2153  ntpd on VMS.
2154
2155  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
2156  Affects: All ntp-4 releases running under VMS up to, but not
2157	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2158  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
2159  Summary: If ntpd is configured to allow remote configuration, and if
2160	the (possibly spoofed) IP address is allowed to send remote
2161	configuration requests, and if the attacker knows the remote
2162	configuration password or if ntpd was configured to disable
2163	authentication, then an attacker can send a set of packets to
2164	ntpd that may cause ntpd to overwrite files.
2165  Mitigation:
2166	Implement BCP-38.
2167	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2168	    Page or the NTP Public Services Project Download Page.
2169	If you are unable to upgrade, remote configuration of NTF's ntpd
2170	    requires:
2171		an explicitly configured "trusted" key. Only configure
2172			this if you need it.
2173		access from permitted IP addresses. You choose the IPs.
2174		authentication. Don't disable it. Practice key security safety.
2175        Monitor your ntpd instances.
2176    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2177
2178* ntpq atoascii() potential memory corruption
2179
2180  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
2181  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
2182	and 4.3.0 up to, but not including 4.3.77
2183  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
2184  Summary: If an attacker can figure out the precise moment that ntpq
2185	is listening for data and the port number it is listening on or
2186	if the attacker can provide a malicious instance ntpd that
2187	victims will connect to then an attacker can send a set of
2188	crafted mode 6 response packets that, if received by ntpq,
2189	can cause ntpq to crash.
2190  Mitigation:
2191	Implement BCP-38.
2192	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2193	    Page or the NTP Public Services Project Download Page.
2194	If you are unable to upgrade and you run ntpq against a server
2195	    and ntpq crashes, try again using raw mode. Build or get a
2196	    patched ntpq and see if that fixes the problem. Report new
2197	    bugs in ntpq or abusive servers appropriately.
2198	If you use ntpq in scripts, make sure ntpq does what you expect
2199	    in your scripts.
2200  Credit: This weakness was discovered by Yves Younan and
2201  	Aleksander Nikolich of Cisco Talos.
2202
2203* Invalid length data provided by a custom refclock driver could cause
2204  a buffer overflow.
2205
2206  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
2207  Affects: Potentially all ntp-4 releases running up to, but not
2208	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2209	that have custom refclocks
2210  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
2211	5.9 unusual worst case
2212  Summary: A negative value for the datalen parameter will overflow a
2213	data buffer. NTF's ntpd driver implementations always set this
2214	value to 0 and are therefore not vulnerable to this weakness.
2215	If you are running a custom refclock driver in ntpd and that
2216	driver supplies a negative value for datalen (no custom driver
2217	of even minimal competence would do this) then ntpd would
2218	overflow a data buffer. It is even hypothetically possible
2219	in this case that instead of simply crashing ntpd the attacker
2220	could effect a code injection attack.
2221  Mitigation:
2222	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2223	    Page or the NTP Public Services Project Download Page.
2224	If you are unable to upgrade:
2225		If you are running custom refclock drivers, make sure
2226			the signed datalen value is either zero or positive.
2227	Monitor your ntpd instances.
2228  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2229
2230* Password Length Memory Corruption Vulnerability
2231
2232  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
2233  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2234  	4.3.0 up to, but not including 4.3.77
2235  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
2236  	1.7 usual case, 6.8, worst case
2237  Summary: If ntpd is configured to allow remote configuration, and if
2238	the (possibly spoofed) source IP address is allowed to send
2239	remote configuration requests, and if the attacker knows the
2240	remote configuration password or if ntpd was (foolishly)
2241	configured to disable authentication, then an attacker can
2242	send a set of packets to ntpd that may cause it to crash,
2243	with the hypothetical possibility of a small code injection.
2244  Mitigation:
2245	Implement BCP-38.
2246	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2247	    Page or the NTP Public Services Project Download Page.
2248	If you are unable to upgrade, remote configuration of NTF's
2249	    ntpd requires:
2250		an explicitly configured "trusted" key. Only configure
2251			this if you need it.
2252		access from a permitted IP address. You choose the IPs.
2253		authentication. Don't disable it. Practice secure key safety.
2254	Monitor your ntpd instances.
2255  Credit: This weakness was discovered by Yves Younan and
2256  	Aleksander Nikolich of Cisco Talos.
2257
2258* decodenetnum() will ASSERT botch instead of returning FAIL on some
2259  bogus values.
2260
2261  References: Sec 2922 / CVE-2015-7855
2262  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2263	4.3.0 up to, but not including 4.3.77
2264  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2265  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
2266	an unusually long data value where a network address is expected,
2267	the decodenetnum() function will abort with an assertion failure
2268	instead of simply returning a failure condition.
2269  Mitigation:
2270	Implement BCP-38.
2271	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2272	    Page or the NTP Public Services Project Download Page.
2273	If you are unable to upgrade:
2274		mode 7 is disabled by default. Don't enable it.
2275		Use restrict noquery to limit who can send mode 6
2276			and mode 7 requests.
2277		Configure and use the controlkey and requestkey
2278			authentication directives to limit who can
2279			send mode 6 and mode 7 requests.
2280	Monitor your ntpd instances.
2281  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
2282
2283* NAK to the Future: Symmetric association authentication bypass via
2284  crypto-NAK.
2285
2286  References: Sec 2941 / CVE-2015-7871
2287  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
2288  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
2289  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
2290  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
2291	from unauthenticated ephemeral symmetric peers by bypassing the
2292	authentication required to mobilize peer associations. This
2293	vulnerability appears to have been introduced in ntp-4.2.5p186
2294	when the code handling mobilization of new passive symmetric
2295	associations (lines 1103-1165) was refactored.
2296  Mitigation:
2297	Implement BCP-38.
2298	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2299	    Page or the NTP Public Services Project Download Page.
2300	If you are unable to upgrade:
2301		Apply the patch to the bottom of the "authentic" check
2302			block around line 1136 of ntp_proto.c.
2303	Monitor your ntpd instances.
2304  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2305
2306Backward-Incompatible changes:
2307* [Bug 2817] Default on Linux is now "rlimit memlock -1".
2308  While the general default of 32M is still the case, under Linux
2309  the default value has been changed to -1 (do not lock ntpd into
2310  memory).  A value of 0 means "lock ntpd into memory with whatever
2311  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
2312  value in it, that value will continue to be used.
2313
2314* [Bug 2886] Misspelling: "outlyer" should be "outlier".
2315  If you've written a script that looks for this case in, say, the
2316  output of ntpq, you probably want to change your regex matches
2317  from 'outlyer' to 'outl[iy]er'.
2318
2319New features in this release:
2320* 'rlimit memlock' now has finer-grained control.  A value of -1 means
2321  "don't lock ntpd into memore".  This is the default for Linux boxes.
2322  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
2323  the value is the number of megabytes of memory to lock.  The default
2324  is 32 megabytes.
2325
2326* The old Google Test framework has been replaced with a new framework,
2327  based on http://www.throwtheswitch.org/unity/ .
2328
2329Bug Fixes and Improvements:
2330* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
2331  privileges and limiting resources in NTPD removes the need to link
2332  forcefully against 'libgcc_s' which does not always work. J.Perlinger
2333* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
2334* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
2335* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
2336* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
2337* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
2338* [Bug 2849] Systems with more than one default route may never
2339  synchronize.  Brian Utterback.  Note that this patch might need to
2340  be reverted once Bug 2043 has been fixed.
2341* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
2342* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
2343* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
2344* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
2345* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
2346* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
2347  be configured for the distribution targets.  Harlan Stenn.
2348* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
2349* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
2350* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
2351* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
2352* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
2353* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
2354* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
2355* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
2356* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
2357* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
2358* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
2359* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
2360* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
2361* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
2362* sntp/tests/ function parameter list cleanup.  Damir Tomić.
2363* tests/libntp/ function parameter list cleanup.  Damir Tomić.
2364* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
2365* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
2366* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
2367* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
2368* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
2369* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2370  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
2371  formatting; first declaration, then code (C90); deleted unnecessary comments;
2372  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
2373* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
2374  fix formatting, cleanup. Tomasz Flendrich
2375* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
2376  Tomasz Flendrich
2377* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
2378  fix formatting. Tomasz Flendrich
2379* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
2380* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
2381* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
2382  Tomasz Flendrich
2383* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
2384* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
2385* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
2386* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
2387* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
2388* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
2389* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
2390fixed formatting. Tomasz Flendrich
2391* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
2392  removed unnecessary comments, cleanup. Tomasz Flendrich
2393* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
2394  comments, cleanup. Tomasz Flendrich
2395* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
2396  Tomasz Flendrich
2397* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2398* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2399* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2400  Tomasz Flendrich
2401* sntp/tests/kodDatabase.c added consts, deleted empty function,
2402  fixed formatting. Tomasz Flendrich
2403* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2404* sntp/tests/packetHandling.c is now using proper Unity's assertions,
2405  fixed formatting, deleted unused variable. Tomasz Flendrich
2406* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2407  Tomasz Flendrich
2408* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2409  fixed formatting. Tomasz Flendrich
2410* sntp/tests/utilities.c is now using proper Unity's assertions, changed
2411  the order of includes, fixed formatting, removed unnecessary comments.
2412  Tomasz Flendrich
2413* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2414* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2415  made one function do its job, deleted unnecessary prints, fixed formatting.
2416  Tomasz Flendrich
2417* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2418* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
2419* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
2420* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
2421* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
2422* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
2423* Don't build sntp/libevent/sample/.  Harlan Stenn.
2424* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
2425* br-flock: --enable-local-libevent.  Harlan Stenn.
2426* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2427* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
2428* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
2429* Code cleanup.  Harlan Stenn.
2430* libntp/icom.c: Typo fix.  Harlan Stenn.
2431* util/ntptime.c: initialization nit.  Harlan Stenn.
2432* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
2433* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
2434* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2435  Tomasz Flendrich
2436* Changed progname to be const in many files - now it's consistent. Tomasz
2437  Flendrich
2438* Typo fix for GCC warning suppression.  Harlan Stenn.
2439* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2440* Added declarations to all Unity tests, and did minor fixes to them.
2441  Reduced the number of warnings by half. Damir Tomić.
2442* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2443  with the latest Unity updates from Mark. Damir Tomić.
2444* Retire google test - phase I.  Harlan Stenn.
2445* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
2446* Update the NEWS file.  Harlan Stenn.
2447* Autoconf cleanup.  Harlan Stenn.
2448* Unit test dist cleanup. Harlan Stenn.
2449* Cleanup various test Makefile.am files.  Harlan Stenn.
2450* Pthread autoconf macro cleanup.  Harlan Stenn.
2451* Fix progname definition in unity runner scripts.  Harlan Stenn.
2452* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
2453* Update the patch for bug 2817.  Harlan Stenn.
2454* More updates for bug 2817.  Harlan Stenn.
2455* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
2456* gcc on older HPUX may need +allowdups.  Harlan Stenn.
2457* Adding missing MCAST protection.  Harlan Stenn.
2458* Disable certain test programs on certain platforms.  Harlan Stenn.
2459* Implement --enable-problem-tests (on by default).  Harlan Stenn.
2460* build system tweaks.  Harlan Stenn.
2461
2462---
2463NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2464
2465Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
2466
2467Severity: MEDIUM
2468
2469Security Fix:
2470
2471* [Sec 2853] Crafted remote config packet can crash some versions of
2472  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2473
2474Under specific circumstances an attacker can send a crafted packet to
2475cause a vulnerable ntpd instance to crash. This requires each of the
2476following to be true:
2477
24781) ntpd set up to allow remote configuration (not allowed by default), and
24792) knowledge of the configuration password, and
24803) access to a computer entrusted to perform remote configuration.
2481
2482This vulnerability is considered low-risk.
2483
2484New features in this release:
2485
2486Optional (disabled by default) support to have ntpd provide smeared
2487leap second time.  A specially built and configured ntpd will only
2488offer smeared time in response to client packets.  These response
2489packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2490of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2491format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
2492information.
2493
2494   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2495   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2496
2497We've imported the Unity test framework, and have begun converting
2498the existing google-test items to this new framework.  If you want
2499to write new tests or change old ones, you'll need to have ruby
2500installed.  You don't need ruby to run the test suite.
2501
2502Bug Fixes and Improvements:
2503
2504* CID 739725: Fix a rare resource leak in libevent/listener.c.
2505* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2506* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2507* CID 1269537: Clean up a line of dead code in getShmTime().
2508* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
2509* [Bug 2590] autogen-5.18.5.
2510* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2511  of 'limited'.
2512* [Bug 2650] fix includefile processing.
2513* [Bug 2745] ntpd -x steps clock on leap second
2514   Fixed an initial-value problem that caused misbehaviour in absence of
2515   any leapsecond information.
2516   Do leap second stepping only of the step adjustment is beyond the
2517   proper jump distance limit and step correction is allowed at all.
2518* [Bug 2750] build for Win64
2519  Building for 32bit of loopback ppsapi needs def file
2520* [Bug 2776] Improve ntpq's 'help keytype'.
2521* [Bug 2778] Implement "apeers"  ntpq command to include associd.
2522* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
2523* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
2524  interface is ignored as long as this flag is not set since the
2525  interface is not usable (e.g., no link).
2526* [Bug 2794] Clean up kernel clock status reports.
2527* [Bug 2800] refclock_true.c true_debug() can't open debug log because
2528  of incompatible open/fdopen parameters.
2529* [Bug 2804] install-local-data assumes GNU 'find' semantics.
2530* [Bug 2805] ntpd fails to join multicast group.
2531* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
2532* [Bug 2808] GPSD_JSON driver enhancements, step 1.
2533  Fix crash during cleanup if GPS device not present and char device.
2534  Increase internal token buffer to parse all JSON data, even SKY.
2535  Defer logging of errors during driver init until the first unit is
2536  started, so the syslog is not cluttered when the driver is not used.
2537  Various improvements, see http://bugs.ntp.org/2808 for details.
2538  Changed libjsmn to a more recent version.
2539* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
2540* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
2541* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
2542* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
2543* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
2544* [Bug 2824] Convert update-leap to perl. (also see 2769)
2545* [Bug 2825] Quiet file installation in html/ .
2546* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
2547   NTPD transfers the current TAI (instead of an announcement) now.
2548   This might still needed improvement.
2549   Update autokey data ASAP when 'sys_tai' changes.
2550   Fix unit test that was broken by changes for autokey update.
2551   Avoid potential signature length issue and use DPRINTF where possible
2552     in ntp_crypto.c.
2553* [Bug 2832] refclock_jjy.c supports the TDC-300.
2554* [Bug 2834] Correct a broken html tag in html/refclock.html
2555* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
2556  robust, and require 2 consecutive timestamps to be consistent.
2557* [Bug 2837] Allow a configurable DSCP value.
2558* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
2559* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
2560* [Bug 2842] Bug in mdoc2man.
2561* [Bug 2843] make check fails on 4.3.36
2562   Fixed compiler warnings about numeric range overflow
2563   (The original topic was fixed in a byplay to bug#2830)
2564* [Bug 2845] Harden memory allocation in ntpd.
2565* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
2566* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
2567* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
2568* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
2569* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
2570* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
2571* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
2572* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
2573* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
2574* html/drivers/driver22.html: typo fix.  Harlan Stenn.
2575* refidsmear test cleanup.  Tomasz Flendrich.
2576* refidsmear function support and tests.  Harlan Stenn.
2577* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
2578  something that was only in the 4.2.6 sntp.  Harlan Stenn.
2579* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
2580  Damir Tomić
2581* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
2582  Damir Tomić
2583* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
2584  Damir Tomić
2585* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
2586* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
2587* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
2588  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2589  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
2590  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
2591  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
2592  Damir Tomić
2593* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
2594  networking.c, keyFile.c, utilities.cpp, sntptest.h,
2595  fileHandlingTest.h. Damir Tomić
2596* Initial support for experimental leap smear code.  Harlan Stenn.
2597* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
2598* Report select() debug messages at debug level 3 now.
2599* sntp/scripts/genLocInfo: treat raspbian as debian.
2600* Unity test framework fixes.
2601  ** Requires ruby for changes to tests.
2602* Initial support for PACKAGE_VERSION tests.
2603* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
2604* tests/bug-2803/Makefile.am must distribute bug-2803.h.
2605* Add an assert to the ntpq ifstats code.
2606* Clean up the RLIMIT_STACK code.
2607* Improve the ntpq documentation around the controlkey keyid.
2608* ntpq.c cleanup.
2609* Windows port build cleanup.
2610
2611---
2612NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
2613
2614Focus: Security and Bug fixes, enhancements.
2615
2616Severity: MEDIUM
2617
2618In addition to bug fixes and enhancements, this release fixes the
2619following medium-severity vulnerabilities involving private key
2620authentication:
2621
2622* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2623
2624    References: Sec 2779 / CVE-2015-1798 / VU#374268
2625    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
2626	including ntp-4.2.8p2 where the installation uses symmetric keys
2627	to authenticate remote associations.
2628    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2629    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2630    Summary: When ntpd is configured to use a symmetric key to authenticate
2631	a remote NTP server/peer, it checks if the NTP message
2632	authentication code (MAC) in received packets is valid, but not if
2633	there actually is any MAC included. Packets without a MAC are
2634	accepted as if they had a valid MAC. This allows a MITM attacker to
2635	send false packets that are accepted by the client/peer without
2636	having to know the symmetric key. The attacker needs to know the
2637	transmit timestamp of the client to match it in the forged reply
2638	and the false reply needs to reach the client before the genuine
2639	reply from the server. The attacker doesn't necessarily need to be
2640	relaying the packets between the client and the server.
2641
2642	Authentication using autokey doesn't have this problem as there is
2643	a check that requires the key ID to be larger than NTP_MAXKEY,
2644	which fails for packets without a MAC.
2645    Mitigation:
2646        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2647	or the NTP Public Services Project Download Page
2648        Configure ntpd with enough time sources and monitor it properly.
2649    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2650
2651* [Sec 2781] Authentication doesn't protect symmetric associations against
2652  DoS attacks.
2653
2654    References: Sec 2781 / CVE-2015-1799 / VU#374268
2655    Affects: All NTP releases starting with at least xntp3.3wy up to but
2656	not including ntp-4.2.8p2 where the installation uses symmetric
2657	key authentication.
2658    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2659    Note: the CVSS base Score for this issue could be 4.3 or lower, and
2660	it could be higher than 5.4.
2661    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2662    Summary: An attacker knowing that NTP hosts A and B are peering with
2663	each other (symmetric association) can send a packet to host A
2664	with source address of B which will set the NTP state variables
2665	on A to the values sent by the attacker. Host A will then send
2666	on its next poll to B a packet with originate timestamp that
2667	doesn't match the transmit timestamp of B and the packet will
2668	be dropped. If the attacker does this periodically for both
2669	hosts, they won't be able to synchronize to each other. This is
2670	a known denial-of-service attack, described at
2671	https://www.eecis.udel.edu/~mills/onwire.html .
2672
2673	According to the document the NTP authentication is supposed to
2674	protect symmetric associations against this attack, but that
2675	doesn't seem to be the case. The state variables are updated even
2676	when authentication fails and the peers are sending packets with
2677	originate timestamps that don't match the transmit timestamps on
2678	the receiving side.
2679
2680	This seems to be a very old problem, dating back to at least
2681	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
2682	specifications, so other NTP implementations with support for
2683	symmetric associations and authentication may be vulnerable too.
2684	An update to the NTP RFC to correct this error is in-process.
2685    Mitigation:
2686        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2687	or the NTP Public Services Project Download Page
2688        Note that for users of autokey, this specific style of MITM attack
2689	is simply a long-known potential problem.
2690        Configure ntpd with appropriate time sources and monitor ntpd.
2691	Alert your staff if problems are detected.
2692    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2693
2694* New script: update-leap
2695The update-leap script will verify and if necessary, update the
2696leap-second definition file.
2697It requires the following commands in order to work:
2698
2699	wget logger tr sed shasum
2700
2701Some may choose to run this from cron.  It needs more portability testing.
2702
2703Bug Fixes and Improvements:
2704
2705* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
2706* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
2707* [Bug 2346] "graceful termination" signals do not do peer cleanup.
2708* [Bug 2728] See if C99-style structure initialization works.
2709* [Bug 2747] Upgrade libevent to 2.1.5-beta.
2710* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
2711* [Bug 2751] jitter.h has stale copies of l_fp macros.
2712* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
2713* [Bug 2757] Quiet compiler warnings.
2714* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
2715* [Bug 2763] Allow different thresholds for forward and backward steps.
2716* [Bug 2766] ntp-keygen output files should not be world-readable.
2717* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
2718* [Bug 2771] nonvolatile value is documented in wrong units.
2719* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
2720* [Bug 2774] Unreasonably verbose printout - leap pending/warning
2721* [Bug 2775] ntp-keygen.c fails to compile under Windows.
2722* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
2723  Removed non-ASCII characters from some copyright comments.
2724  Removed trailing whitespace.
2725  Updated definitions for Meinberg clocks from current Meinberg header files.
2726  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
2727  Account for updated definitions pulled from Meinberg header files.
2728  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
2729  Replaced some constant numbers by defines from ntp_calendar.h
2730  Modified creation of parse-specific variables for Meinberg devices
2731  in gps16x_message().
2732  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
2733  Modified mbg_tm_str() which now expexts an additional parameter controlling
2734  if the time status shall be printed.
2735* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2736* [Sec 2781] Authentication doesn't protect symmetric associations against
2737  DoS attacks.
2738* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
2739* [Bug 2789] Quiet compiler warnings from libevent.
2740* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
2741  pause briefly before measuring system clock precision to yield
2742  correct results.
2743* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
2744* Use predefined function types for parse driver functions
2745  used to set up function pointers.
2746  Account for changed prototype of parse_inp_fnc_t functions.
2747  Cast parse conversion results to appropriate types to avoid
2748  compiler warnings.
2749  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
2750  when called with pointers to different types.
2751
2752---
2753NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
2754
2755Focus: Security and Bug fixes, enhancements.
2756
2757Severity: HIGH
2758
2759In addition to bug fixes and enhancements, this release fixes the
2760following high-severity vulnerabilities:
2761
2762* vallen is not validated in several places in ntp_crypto.c, leading
2763  to a potential information leak or possibly a crash
2764
2765    References: Sec 2671 / CVE-2014-9297 / VU#852879
2766    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
2767    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2768    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
2769    Summary: The vallen packet value is not validated in several code
2770             paths in ntp_crypto.c which can lead to information leakage
2771	     or perhaps a crash of the ntpd process.
2772    Mitigation - any of:
2773	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2774		or the NTP Public Services Project Download Page.
2775	Disable Autokey Authentication by removing, or commenting out,
2776		all configuration directives beginning with the "crypto"
2777		keyword in your ntp.conf file.
2778    Credit: This vulnerability was discovered by Stephen Roettger of the
2779    	Google Security Team, with additional cases found by Sebastian
2780	Krahmer of the SUSE Security Team and Harlan Stenn of Network
2781	Time Foundation.
2782
2783* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
2784  can be bypassed.
2785
2786    References: Sec 2672 / CVE-2014-9298 / VU#852879
2787    Affects: All NTP4 releases before 4.2.8p1, under at least some
2788	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
2789    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
2790    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
2791    Summary: While available kernels will prevent 127.0.0.1 addresses
2792	from "appearing" on non-localhost IPv4 interfaces, some kernels
2793	do not offer the same protection for ::1 source addresses on
2794	IPv6 interfaces. Since NTP's access control is based on source
2795	address and localhost addresses generally have no restrictions,
2796	an attacker can send malicious control and configuration packets
2797	by spoofing ::1 addresses from the outside. Note Well: This is
2798	not really a bug in NTP, it's a problem with some OSes. If you
2799	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
2800	ACL restrictions on any application can be bypassed!
2801    Mitigation:
2802        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2803	or the NTP Public Services Project Download Page
2804        Install firewall rules to block packets claiming to come from
2805	::1 from inappropriate network interfaces.
2806    Credit: This vulnerability was discovered by Stephen Roettger of
2807	the Google Security Team.
2808
2809Additionally, over 30 bugfixes and improvements were made to the codebase.
2810See the ChangeLog for more information.
2811
2812---
2813NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
2814
2815Focus: Security and Bug fixes, enhancements.
2816
2817Severity: HIGH
2818
2819In addition to bug fixes and enhancements, this release fixes the
2820following high-severity vulnerabilities:
2821
2822************************** vv NOTE WELL vv *****************************
2823
2824The vulnerabilities listed below can be significantly mitigated by
2825following the BCP of putting
2826
2827 restrict default ... noquery
2828
2829in the ntp.conf file.  With the exception of:
2830
2831   receive(): missing return on error
2832   References: Sec 2670 / CVE-2014-9296 / VU#852879
2833
2834below (which is a limited-risk vulnerability), none of the recent
2835vulnerabilities listed below can be exploited if the source IP is
2836restricted from sending a 'query'-class packet by your ntp.conf file.
2837
2838************************** ^^ NOTE WELL ^^ *****************************
2839
2840* Weak default key in config_auth().
2841
2842  References: [Sec 2665] / CVE-2014-9293 / VU#852879
2843  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2844  Vulnerable Versions: all releases prior to 4.2.7p11
2845  Date Resolved: 28 Jan 2010
2846
2847  Summary: If no 'auth' key is set in the configuration file, ntpd
2848	would generate a random key on the fly.  There were two
2849	problems with this: 1) the generated key was 31 bits in size,
2850	and 2) it used the (now weak) ntp_random() function, which was
2851	seeded with a 32-bit value and could only provide 32 bits of
2852	entropy.  This was sufficient back in the late 1990s when the
2853	code was written.  Not today.
2854
2855  Mitigation - any of:
2856	- Upgrade to 4.2.7p11 or later.
2857	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2858
2859  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
2860  	of the Google Security Team.
2861
2862* Non-cryptographic random number generator with weak seed used by
2863  ntp-keygen to generate symmetric keys.
2864
2865  References: [Sec 2666] / CVE-2014-9294 / VU#852879
2866  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2867  Vulnerable Versions: All NTP4 releases before 4.2.7p230
2868  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
2869
2870  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
2871  	prepare a random number generator that was of good quality back
2872	in the late 1990s. The random numbers produced was then used to
2873	generate symmetric keys. In ntp-4.2.8 we use a current-technology
2874	cryptographic random number generator, either RAND_bytes from
2875	OpenSSL, or arc4random().
2876
2877  Mitigation - any of:
2878  	- Upgrade to 4.2.7p230 or later.
2879	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2880
2881  Credit:  This vulnerability was discovered in ntp-4.2.6 by
2882  	Stephen Roettger of the Google Security Team.
2883
2884* Buffer overflow in crypto_recv()
2885
2886  References: Sec 2667 / CVE-2014-9295 / VU#852879
2887  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2888  Versions: All releases before 4.2.8
2889  Date Resolved: Stable (4.2.8) 18 Dec 2014
2890
2891  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
2892  	file contains a 'crypto pw ...' directive) a remote attacker
2893	can send a carefully crafted packet that can overflow a stack
2894	buffer and potentially allow malicious code to be executed
2895	with the privilege level of the ntpd process.
2896
2897  Mitigation - any of:
2898  	- Upgrade to 4.2.8, or later, or
2899	- Disable Autokey Authentication by removing, or commenting out,
2900	  all configuration directives beginning with the crypto keyword
2901	  in your ntp.conf file.
2902
2903  Credit: This vulnerability was discovered by Stephen Roettger of the
2904  	Google Security Team.
2905
2906* Buffer overflow in ctl_putdata()
2907
2908  References: Sec 2668 / CVE-2014-9295 / VU#852879
2909  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2910  Versions: All NTP4 releases before 4.2.8
2911  Date Resolved: Stable (4.2.8) 18 Dec 2014
2912
2913  Summary: A remote attacker can send a carefully crafted packet that
2914  	can overflow a stack buffer and potentially allow malicious
2915	code to be executed with the privilege level of the ntpd process.
2916
2917  Mitigation - any of:
2918  	- Upgrade to 4.2.8, or later.
2919	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2920
2921  Credit: This vulnerability was discovered by Stephen Roettger of the
2922  	Google Security Team.
2923
2924* Buffer overflow in configure()
2925
2926  References: Sec 2669 / CVE-2014-9295 / VU#852879
2927  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2928  Versions: All NTP4 releases before 4.2.8
2929  Date Resolved: Stable (4.2.8) 18 Dec 2014
2930
2931  Summary: A remote attacker can send a carefully crafted packet that
2932	can overflow a stack buffer and potentially allow malicious
2933	code to be executed with the privilege level of the ntpd process.
2934
2935  Mitigation - any of:
2936  	- Upgrade to 4.2.8, or later.
2937	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2938
2939  Credit: This vulnerability was discovered by Stephen Roettger of the
2940	Google Security Team.
2941
2942* receive(): missing return on error
2943
2944  References: Sec 2670 / CVE-2014-9296 / VU#852879
2945  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
2946  Versions: All NTP4 releases before 4.2.8
2947  Date Resolved: Stable (4.2.8) 18 Dec 2014
2948
2949  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
2950  	the code path where an error was detected, which meant
2951	processing did not stop when a specific rare error occurred.
2952	We haven't found a way for this bug to affect system integrity.
2953	If there is no way to affect system integrity the base CVSS
2954	score for this bug is 0. If there is one avenue through which
2955	system integrity can be partially affected, the base score
2956	becomes a 5. If system integrity can be partially affected
2957	via all three integrity metrics, the CVSS base score become 7.5.
2958
2959  Mitigation - any of:
2960        - Upgrade to 4.2.8, or later,
2961        - Remove or comment out all configuration directives
2962	  beginning with the crypto keyword in your ntp.conf file.
2963
2964  Credit: This vulnerability was discovered by Stephen Roettger of the
2965  	Google Security Team.
2966
2967See http://support.ntp.org/security for more information.
2968
2969New features / changes in this release:
2970
2971Important Changes
2972
2973* Internal NTP Era counters
2974
2975The internal counters that track the "era" (range of years) we are in
2976rolls over every 136 years'.  The current "era" started at the stroke of
2977midnight on 1 Jan 1900, and ends just before the stroke of midnight on
29781 Jan 2036.
2979In the past, we have used the "midpoint" of the  range to decide which
2980era we were in.  Given the longevity of some products, it became clear
2981that it would be more functional to "look back" less, and "look forward"
2982more.  We now compile a timestamp into the ntpd executable and when we
2983get a timestamp we us the "built-on" to tell us what era we are in.
2984This check "looks back" 10 years, and "looks forward" 126 years.
2985
2986* ntpdc responses disabled by default
2987
2988Dave Hart writes:
2989
2990For a long time, ntpq and its mostly text-based mode 6 (control)
2991protocol have been preferred over ntpdc and its mode 7 (private
2992request) protocol for runtime queries and configuration.  There has
2993been a goal of deprecating ntpdc, previously held back by numerous
2994capabilities exposed by ntpdc with no ntpq equivalent.  I have been
2995adding commands to ntpq to cover these cases, and I believe I've
2996covered them all, though I've not compared command-by-command
2997recently.
2998
2999As I've said previously, the binary mode 7 protocol involves a lot of
3000hand-rolled structure layout and byte-swapping code in both ntpd and
3001ntpdc which is hard to get right.  As ntpd grows and changes, the
3002changes are difficult to expose via ntpdc while maintaining forward
3003and backward compatibility between ntpdc and ntpd.  In contrast,
3004ntpq's text-based, label=value approach involves more code reuse and
3005allows compatible changes without extra work in most cases.
3006
3007Mode 7 has always been defined as vendor/implementation-specific while
3008mode 6 is described in RFC 1305 and intended to be open to interoperate
3009with other implementations.  There is an early draft of an updated
3010mode 6 description that likely will join the other NTPv4 RFCs
3011eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
3012
3013For these reasons, ntpd 4.2.7p230 by default disables processing of
3014ntpdc queries, reducing ntpd's attack surface and functionally
3015deprecating ntpdc.  If you are in the habit of using ntpdc for certain
3016operations, please try the ntpq equivalent.  If there's no equivalent,
3017please open a bug report at http://bugs.ntp.org./
3018
3019In addition to the above, over 1100 issues have been resolved between
3020the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
3021lists these.
3022
3023---
3024NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
3025
3026Focus: Bug fixes
3027
3028Severity: Medium
3029
3030This is a recommended upgrade.
3031
3032This release updates sys_rootdisp and sys_jitter calculations to match the
3033RFC specification, fixes a potential IPv6 address matching error for the
3034"nic" and "interface" configuration directives, suppresses the creation of
3035extraneous ephemeral associations for certain broadcastclient and
3036multicastclient configurations, cleans up some ntpq display issues, and
3037includes improvements to orphan mode, minor bugs fixes and code clean-ups.
3038
3039New features / changes in this release:
3040
3041ntpd
3042
3043 * Updated "nic" and "interface" IPv6 address handling to prevent
3044   mismatches with localhost [::1] and wildcard [::] which resulted from
3045   using the address/prefix format (e.g. fe80::/64)
3046 * Fix orphan mode stratum incorrectly counting to infinity
3047 * Orphan parent selection metric updated to includes missing ntohl()
3048 * Non-printable stratum 16 refid no longer sent to ntp
3049 * Duplicate ephemeral associations suppressed for broadcastclient and
3050   multicastclient without broadcastdelay
3051 * Exclude undetermined sys_refid from use in loopback TEST12
3052 * Exclude MODE_SERVER responses from KoD rate limiting
3053 * Include root delay in clock_update() sys_rootdisp calculations
3054 * get_systime() updated to exclude sys_residual offset (which only
3055   affected bits "below" sys_tick, the precision threshold)
3056 * sys.peer jitter weighting corrected in sys_jitter calculation
3057
3058ntpq
3059
3060 * -n option extended to include the billboard "server" column
3061 * IPv6 addresses in the local column truncated to prevent overruns
3062
3063---
3064NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
3065
3066Focus: Bug fixes and portability improvements
3067
3068Severity: Medium
3069
3070This is a recommended upgrade.
3071
3072This release includes build infrastructure updates, code
3073clean-ups, minor bug fixes, fixes for a number of minor
3074ref-clock issues, and documentation revisions.
3075
3076Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
3077
3078New features / changes in this release:
3079
3080Build system
3081
3082* Fix checking for struct rtattr
3083* Update config.guess and config.sub for AIX
3084* Upgrade required version of autogen and libopts for building
3085  from our source code repository
3086
3087ntpd
3088
3089* Back-ported several fixes for Coverity warnings from ntp-dev
3090* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
3091* Allow "logconfig =allall" configuration directive
3092* Bind tentative IPv6 addresses on Linux
3093* Correct WWVB/Spectracom driver to timestamp CR instead of LF
3094* Improved tally bit handling to prevent incorrect ntpq peer status reports
3095* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
3096  candidate list unless they are designated a "prefer peer"
3097* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
3098  selection during the 'tos orphanwait' period
3099* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
3100  drivers
3101* Improved support of the Parse Refclock trusttime flag in Meinberg mode
3102* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
3103* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
3104  clock slew on Microsoft Windows
3105* Code cleanup in libntpq
3106
3107ntpdc
3108
3109* Fix timerstats reporting
3110
3111ntpdate
3112
3113* Reduce time required to set clock
3114* Allow a timeout greater than 2 seconds
3115
3116sntp
3117
3118* Backward incompatible command-line option change:
3119  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
3120
3121Documentation
3122
3123* Update html2man. Fix some tags in the .html files
3124* Distribute ntp-wait.html
3125
3126---
3127NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
3128
3129Focus: Bug fixes and portability improvements
3130
3131Severity: Medium
3132
3133This is a recommended upgrade.
3134
3135This release includes build infrastructure updates, code
3136clean-ups, minor bug fixes, fixes for a number of minor
3137ref-clock issues, and documentation revisions.
3138
3139Portability improvements in this release affect AIX, Atari FreeMiNT,
3140FreeBSD4, Linux and Microsoft Windows.
3141
3142New features / changes in this release:
3143
3144Build system
3145* Use lsb_release to get information about Linux distributions.
3146* 'test' is in /usr/bin (instead of /bin) on some systems.
3147* Basic sanity checks for the ChangeLog file.
3148* Source certain build files with ./filename for systems without . in PATH.
3149* IRIX portability fix.
3150* Use a single copy of the "libopts" code.
3151* autogen/libopts upgrade.
3152* configure.ac m4 quoting cleanup.
3153
3154ntpd
3155* Do not bind to IN6_IFF_ANYCAST addresses.
3156* Log the reason for exiting under Windows.
3157* Multicast fixes for Windows.
3158* Interpolation fixes for Windows.
3159* IPv4 and IPv6 Multicast fixes.
3160* Manycast solicitation fixes and general repairs.
3161* JJY refclock cleanup.
3162* NMEA refclock improvements.
3163* Oncore debug message cleanup.
3164* Palisade refclock now builds under Linux.
3165* Give RAWDCF more baud rates.
3166* Support Truetime Satellite clocks under Windows.
3167* Support Arbiter 1093C Satellite clocks under Windows.
3168* Make sure that the "filegen" configuration command defaults to "enable".
3169* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
3170* Prohibit 'includefile' directive in remote configuration command.
3171* Fix 'nic' interface bindings.
3172* Fix the way we link with openssl if openssl is installed in the base
3173  system.
3174
3175ntp-keygen
3176* Fix -V coredump.
3177* OpenSSL version display cleanup.
3178
3179ntpdc
3180* Many counters should be treated as unsigned.
3181
3182ntpdate
3183* Do not ignore replies with equal receive and transmit timestamps.
3184
3185ntpq
3186* libntpq warning cleanup.
3187
3188ntpsnmpd
3189* Correct SNMP type for "precision" and "resolution".
3190* Update the MIB from the draft version to RFC-5907.
3191
3192sntp
3193* Display timezone offset when showing time for sntp in the local
3194  timezone.
3195* Pay proper attention to RATE KoD packets.
3196* Fix a miscalculation of the offset.
3197* Properly parse empty lines in the key file.
3198* Logging cleanup.
3199* Use tv_usec correctly in set_time().
3200* Documentation cleanup.
3201
3202---
3203NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
3204
3205Focus: Bug fixes and portability improvements
3206
3207Severity: Medium
3208
3209This is a recommended upgrade.
3210
3211This release includes build infrastructure updates, code
3212clean-ups, minor bug fixes, fixes for a number of minor
3213ref-clock issues, improved KOD handling, OpenSSL related
3214updates and documentation revisions.
3215
3216Portability improvements in this release affect Irix, Linux,
3217Mac OS, Microsoft Windows, OpenBSD and QNX6
3218
3219New features / changes in this release:
3220
3221ntpd
3222* Range syntax for the trustedkey configuration directive
3223* Unified IPv4 and IPv6 restrict lists
3224
3225ntpdate
3226* Rate limiting and KOD handling
3227
3228ntpsnmpd
3229* default connection to net-snmpd via a unix-domain socket
3230* command-line 'socket name' option
3231
3232ntpq / ntpdc
3233* support for the "passwd ..." syntax
3234* key-type specific password prompts
3235
3236sntp
3237* MD5 authentication of an ntpd
3238* Broadcast and crypto
3239* OpenSSL support
3240
3241---
3242NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
3243
3244Focus: Bug fixes, portability fixes, and documentation improvements
3245
3246Severity: Medium
3247
3248This is a recommended upgrade.
3249
3250---
3251NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3252
3253Focus: enhancements and bug fixes.
3254
3255---
3256NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3257
3258Focus: Security Fixes
3259
3260Severity: HIGH
3261
3262This release fixes the following high-severity vulnerability:
3263
3264* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
3265
3266  See http://support.ntp.org/security for more information.
3267
3268  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
3269  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
3270  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
3271  request or a mode 7 error response from an address which is not listed
3272  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
3273  reply with a mode 7 error response (and log a message).  In this case:
3274
3275	* If an attacker spoofs the source address of ntpd host A in a
3276	  mode 7 response packet sent to ntpd host B, both A and B will
3277	  continuously send each other error responses, for as long as
3278	  those packets get through.
3279
3280	* If an attacker spoofs an address of ntpd host A in a mode 7
3281	  response packet sent to ntpd host A, A will respond to itself
3282	  endlessly, consuming CPU and logging excessively.
3283
3284  Credit for finding this vulnerability goes to Robin Park and Dmitri
3285  Vinokurov of Alcatel-Lucent.
3286
3287THIS IS A STRONGLY RECOMMENDED UPGRADE.
3288
3289---
3290ntpd now syncs to refclocks right away.
3291
3292Backward-Incompatible changes:
3293
3294ntpd no longer accepts '-v name' or '-V name' to define internal variables.
3295Use '--var name' or '--dvar name' instead. (Bug 817)
3296
3297---
3298NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
3299
3300Focus: Security and Bug Fixes
3301
3302Severity: HIGH
3303
3304This release fixes the following high-severity vulnerability:
3305
3306* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
3307
3308  See http://support.ntp.org/security for more information.
3309
3310  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
3311  line) then a carefully crafted packet sent to the machine will cause
3312  a buffer overflow and possible execution of injected code, running
3313  with the privileges of the ntpd process (often root).
3314
3315  Credit for finding this vulnerability goes to Chris Ries of CMU.
3316
3317This release fixes the following low-severity vulnerabilities:
3318
3319* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
3320  Credit for finding this vulnerability goes to Geoff Keating of Apple.
3321
3322* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
3323  Credit for finding this issue goes to Dave Hart.
3324
3325This release fixes a number of bugs and adds some improvements:
3326
3327* Improved logging
3328* Fix many compiler warnings
3329* Many fixes and improvements for Windows
3330* Adds support for AIX 6.1
3331* Resolves some issues under MacOS X and Solaris
3332
3333THIS IS A STRONGLY RECOMMENDED UPGRADE.
3334
3335---
3336NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
3337
3338Focus: Security Fix
3339
3340Severity: Low
3341
3342This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
3343the OpenSSL library relating to the incorrect checking of the return
3344value of EVP_VerifyFinal function.
3345
3346Credit for finding this issue goes to the Google Security Team for
3347finding the original issue with OpenSSL, and to ocert.org for finding
3348the problem in NTP and telling us about it.
3349
3350This is a recommended upgrade.
3351---
3352NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
3353
3354Focus: Minor Bugfixes
3355
3356This release fixes a number of Windows-specific ntpd bugs and
3357platform-independent ntpdate bugs. A logging bugfix has been applied
3358to the ONCORE driver.
3359
3360The "dynamic" keyword and is now obsolete and deferred binding to local
3361interfaces is the new default. The minimum time restriction for the
3362interface update interval has been dropped.
3363
3364A number of minor build system and documentation fixes are included.
3365
3366This is a recommended upgrade for Windows.
3367
3368---
3369NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
3370
3371Focus: Minor Bugfixes
3372
3373This release updates certain copyright information, fixes several display
3374bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
3375shutdown in the parse refclock driver, removes some lint from the code,
3376stops accessing certain buffers immediately after they were freed, fixes
3377a problem with non-command-line specification of -6, and allows the loopback
3378interface to share addresses with other interfaces.
3379
3380---
3381NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
3382
3383Focus: Minor Bugfixes
3384
3385This release fixes a bug in Windows that made it difficult to
3386terminate ntpd under windows.
3387This is a recommended upgrade for Windows.
3388
3389---
3390NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
3391
3392Focus: Minor Bugfixes
3393
3394This release fixes a multicast mode authentication problem,
3395an error in NTP packet handling on Windows that could lead to
3396ntpd crashing, and several other minor bugs. Handling of
3397multicast interfaces and logging configuration were improved.
3398The required versions of autogen and libopts were incremented.
3399This is a recommended upgrade for Windows and multicast users.
3400
3401---
3402NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3403
3404Focus: enhancements and bug fixes.
3405
3406Dynamic interface rescanning was added to simplify the use of ntpd in
3407conjunction with DHCP. GNU AutoGen is used for its command-line options
3408processing. Separate PPS devices are supported for PARSE refclocks, MD5
3409signatures are now provided for the release files. Drivers have been
3410added for some new ref-clocks and have been removed for some older
3411ref-clocks. This release also includes other improvements, documentation
3412and bug fixes.
3413
3414K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3415C support.
3416
3417---
3418NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3419
3420Focus: enhancements and bug fixes.
3421